Windows Analysis Report YBfn5E3Dlw

Overview

General Information

Sample Name: YBfn5E3Dlw (renamed file extension from none to dll)
Analysis ID: 553389
MD5: 038f9a9d5b96733a9b3030cfbe4e4535
SHA1: 3b8a4b81f0b06514188e4f935d5f4b0858b93806
SHA256: d46762ba155e3345baf5d9e9453e6cd8e0647438693abddf34f98ae8d6bd436a
Tags: 32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 3.2.rundll32.exe.1270000.0.raw.unpack Malware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}
Multi AV Scanner detection for submitted file
Source: YBfn5E3Dlw.dll Virustotal: Detection: 13% Perma Link
Source: YBfn5E3Dlw.dll ReversingLabs: Detection: 16%
Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000C.00000003.685499614.0000000004D25000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685556011.0000000003291000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685774449.0000000003291000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000C.00000003.690025139.00000000050A2000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000C.00000003.690080981.00000000050A5000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690025139.00000000050A2000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000C.00000003.685541913.000000000328C000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.686171794.000000000328C000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000C.00000003.690080981.00000000050A5000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690025139.00000000050A2000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
Source: Binary string: a,njr/nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000C.00000002.702514723.0000000000C92000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000C.00000003.690074916.00000000050A0000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000C.00000003.690074916.00000000050A0000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000C.00000003.690074916.00000000050A0000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000C.00000003.685885045.0000000003297000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685567908.0000000003297000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685783143.0000000003297000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000C.00000003.690025139.00000000050A2000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000C.00000003.685885045.0000000003297000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685567908.0000000003297000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685783143.0000000003297000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000C.00000003.690074916.00000000050A0000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000C.00000003.690074916.00000000050A0000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000C.00000003.685556011.0000000003291000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685774449.0000000003291000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb^;V source: WerFault.exe, 0000000C.00000003.690074916.00000000050A0000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000C.00000003.685541913.000000000328C000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.686171794.000000000328C000.00000004.00000001.sdmp

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.4:49790 -> 45.138.98.34:80
Source: Traffic Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.4:49791 -> 69.16.218.101:8080
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 69.16.218.101 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.138.98.34 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 45.138.98.34:80
Source: Malware configuration extractor IPs: 69.16.218.101:8080
Source: Malware configuration extractor IPs: 51.210.242.234:8080
Source: Malware configuration extractor IPs: 185.148.168.220:8080
Source: Malware configuration extractor IPs: 142.4.219.173:8080
Source: Malware configuration extractor IPs: 54.38.242.185:443
Source: Malware configuration extractor IPs: 191.252.103.16:80
Source: Malware configuration extractor IPs: 104.131.62.48:8080
Source: Malware configuration extractor IPs: 62.171.178.147:8080
Source: Malware configuration extractor IPs: 217.182.143.207:443
Source: Malware configuration extractor IPs: 168.197.250.14:80
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 66.42.57.149:443
Source: Malware configuration extractor IPs: 210.57.209.142:8080
Source: Malware configuration extractor IPs: 159.69.237.188:443
Source: Malware configuration extractor IPs: 116.124.128.206:8080
Source: Malware configuration extractor IPs: 128.199.192.135:8080
Source: Malware configuration extractor IPs: 195.154.146.35:443
Source: Malware configuration extractor IPs: 185.148.168.15:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 207.148.81.119:8080
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 190.90.233.66:443
Source: Malware configuration extractor IPs: 78.46.73.125:443
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 37.59.209.141:8080
Source: Malware configuration extractor IPs: 54.37.228.122:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View IP Address: 104.131.62.48 104.131.62.48
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49791 -> 69.16.218.101:8080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 12
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: svchost.exe, 00000013.00000003.808009499.000002EBAEF89000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
Source: svchost.exe, 00000013.00000003.808009499.000002EBAEF89000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
Source: svchost.exe, 00000013.00000003.808009499.000002EBAEF89000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.808025358.000002EBAEF9A000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000013.00000003.808009499.000002EBAEF89000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.808025358.000002EBAEF9A000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000013.00000002.823886227.000002EBAE6E9000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000013.00000002.823886227.000002EBAE6E9000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: 77EC63BDA74BD0D0E0426DC8F80085060.14.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 00000013.00000003.797831487.000002EBAEF82000.00000004.00000001.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: Amcache.hve.12.dr String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 00000013.00000003.797831487.000002EBAEF82000.00000004.00000001.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000013.00000003.797831487.000002EBAEF82000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000013.00000003.797831487.000002EBAEF82000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000013.00000003.800383001.000002EBAEF79000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report
Source: svchost.exe, 00000013.00000003.800332710.000002EBAEFA1000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.800427811.000002EBAF402000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.800351036.000002EBAEFA1000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.800401036.000002EBAEF8A000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.800383001.000002EBAEF79000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10001280 recvfrom, 2_2_10001280

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000000.678773988.000000000111B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 2_2_10027958
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 3_2_10027958
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 4_2_10027958

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 7.2.rundll32.exe.59f0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5630000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4720000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5690000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.53f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.b50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.1270000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.56c0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.12a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.1270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.2ab0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2ae0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.2ae0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3450000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5500000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5420000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.980000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5660000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.b80000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.53f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.2ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.11c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.59f0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3600000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.47b0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4780000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.2ab0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.b50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.54d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.11c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5a20000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2ab0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.2ae0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4750000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4720000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5690000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.b20000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5630000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.2ab0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.54d0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3450000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.c60000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.11f0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4780000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.680031217.0000000002AE1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.687070469.0000000000B50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.684992268.0000000003450000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.703964616.0000000002AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.687871792.0000000005661000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.687254093.0000000005501000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.686420197.00000000053F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.688080295.0000000005690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.687539122.0000000005630000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.670630923.0000000001270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.679124499.0000000002AE1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.717791244.00000000047B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.687321793.0000000000B81000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.717740715.0000000004780000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.704266978.0000000002AE1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.679046535.0000000002AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.670153557.0000000000C61000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.670105180.0000000000980000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.679999425.0000000002AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.688465307.00000000059F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.716834900.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.688659098.0000000005A21000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.670654175.00000000012A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.716329937.0000000000B21000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.688152191.00000000056C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.717660130.0000000004720000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.715971380.00000000004F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.686930115.00000000054D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.716952958.00000000011F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.717702240.0000000004751000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.685377727.0000000003601000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.686624450.0000000005421000.00000020.00000001.sdmp, type: MEMORY

System Summary:

barindex
One or more processes crash
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6260 -ip 6260
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Dfktehrjwgeevy\pakqi.bja:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Ytghf\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AFEFDD 0_2_02AFEFDD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AF3EAA 0_2_02AF3EAA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AEBAA9 0_2_02AEBAA9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AFA2A5 0_2_02AFA2A5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02B046BD 0_2_02B046BD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AE1CA1 0_2_02AE1CA1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AF0EBC 0_2_02AF0EBC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AF0ABA 0_2_02AF0ABA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AEC6B8 0_2_02AEC6B8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02B036AA 0_2_02B036AA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AEF0E9 0_2_02AEF0E9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AFE4E5 0_2_02AFE4E5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AFBEFD 0_2_02AFBEFD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02B03EE9 0_2_02B03EE9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02B000EF 0_2_02B000EF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AE80C0 0_2_02AE80C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AFD8DB 0_2_02AFD8DB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AFCCD9 0_2_02AFCCD9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AFCAD5 0_2_02AFCAD5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AEB820 0_2_02AEB820
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AE8636 0_2_02AE8636
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AE3431 0_2_02AE3431
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AF7A0F 0_2_02AF7A0F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AF8806 0_2_02AF8806
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AF9A01 0_2_02AF9A01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02B02009 0_2_02B02009
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AF4A66 0_2_02AF4A66
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02B03263 0_2_02B03263
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02B00A64 0_2_02B00A64
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AF567B 0_2_02AF567B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AE7078 0_2_02AE7078
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AE7E79 0_2_02AE7E79
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AEDE74 0_2_02AEDE74
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AFA474 0_2_02AFA474
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AFDC71 0_2_02AFDC71
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AEA871 0_2_02AEA871
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AEA445 0_2_02AEA445
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AF4244 0_2_02AF4244
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AE7442 0_2_02AE7442
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AEE640 0_2_02AEE640
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AFF840 0_2_02AFF840
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AF2E5D 0_2_02AF2E5D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AFB257 0_2_02AFB257
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AF8FAE 0_2_02AF8FAE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02B017BD 0_2_02B017BD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AE77A3 0_2_02AE77A3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AEBFBE 0_2_02AEBFBE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AFD1BC 0_2_02AFD1BC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AE57B8 0_2_02AE57B8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02B007AA 0_2_02B007AA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AEFB8E 0_2_02AEFB8E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AE238C 0_2_02AE238C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AF6187 0_2_02AF6187
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AF0F86 0_2_02AF0F86
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AF3D85 0_2_02AF3D85
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AE2194 0_2_02AE2194
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AF67E6 0_2_02AF67E6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AF85FF 0_2_02AF85FF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AE55FF 0_2_02AE55FF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AE4BFC 0_2_02AE4BFC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AF27F9 0_2_02AF27F9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AFE1F8 0_2_02AFE1F8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AF9DF5 0_2_02AF9DF5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AF07F4 0_2_02AF07F4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AEE7DE 0_2_02AEE7DE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AFFBDE 0_2_02AFFBDE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AEC5D8 0_2_02AEC5D8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AFC5D5 0_2_02AFC5D5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AF8D3D 0_2_02AF8D3D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AE1F38 0_2_02AE1F38
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AF5333 0_2_02AF5333
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AEEF0C 0_2_02AEEF0C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AE670B 0_2_02AE670B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AFAD08 0_2_02AFAD08
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02B02B09 0_2_02B02B09
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AF5515 0_2_02AF5515
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AEF369 0_2_02AEF369
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AE6B7A 0_2_02AE6B7A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AF017B 0_2_02AF017B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AF437A 0_2_02AF437A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AF5779 0_2_02AF5779
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AF4F74 0_2_02AF4F74
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AF9774 0_2_02AF9774
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AED14C 0_2_02AED14C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02B02D53 0_2_02B02D53
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AF654A 0_2_02AF654A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AF2142 0_2_02AF2142
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AF7D5B 0_2_02AF7D5B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AFFF58 0_2_02AFFF58
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AFE955 0_2_02AFE955
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100291F6 2_2_100291F6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002F378 2_2_1002F378
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100403D7 2_2_100403D7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1004250B 2_2_1004250B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10041557 2_2_10041557
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100395A1 2_2_100395A1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002F784 2_2_1002F784
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1004091B 2_2_1004091B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002EACF 2_2_1002EACF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002FBA4 2_2_1002FBA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100291F6 3_2_100291F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002F378 3_2_1002F378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100403D7 3_2_100403D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1004250B 3_2_1004250B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10041557 3_2_10041557
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100395A1 3_2_100395A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002F784 3_2_1002F784
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1004091B 3_2_1004091B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002EACF 3_2_1002EACF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002FBA4 3_2_1002FBA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10035D96 3_2_10035D96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10040E5F 3_2_10040E5F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002EFA4 3_2_1002EFA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100291F6 4_2_100291F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1002F378 4_2_1002F378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100403D7 4_2_100403D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1004250B 4_2_1004250B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10041557 4_2_10041557
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100395A1 4_2_100395A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1002F784 4_2_1002F784
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1004091B 4_2_1004091B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1002EACF 4_2_1002EACF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1002FBA4 4_2_1002FBA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10035D96 4_2_10035D96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10040E5F 4_2_10040E5F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1002EFA4 4_2_1002EFA4
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10030E38 appears 49 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10030535 appears 75 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030E38 appears 116 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1003578B appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030535 appears 174 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030568 appears 32 times
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: YBfn5E3Dlw.dll Virustotal: Detection: 13%
Source: YBfn5E3Dlw.dll ReversingLabs: Detection: 16%
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\YBfn5E3Dlw.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YBfn5E3Dlw.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",DllRegisterServer
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6260 -ip 6260
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Dfktehrjwgeevy\pakqi.bja",rArKTBwXKBsr
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6260 -s 552
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Dfktehrjwgeevy\pakqi.bja",DllRegisterServer
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\YBfn5E3Dlw.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YBfn5E3Dlw.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Dfktehrjwgeevy\pakqi.bja",rArKTBwXKBsr Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6260 -ip 6260 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6260 -s 552 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Dfktehrjwgeevy\pakqi.bja",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF761.tmp Jump to behavior
Source: classification engine Classification label: mal92.troj.evad.winDLL@26/10@0/28
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",#1
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6260
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:5628:64:WilError_01
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10021183 LoadResource,LockResource,SizeofResource, 2_2_10021183
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000C.00000003.685499614.0000000004D25000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685556011.0000000003291000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685774449.0000000003291000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000C.00000003.690025139.00000000050A2000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000C.00000003.690080981.00000000050A5000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690025139.00000000050A2000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000C.00000003.685541913.000000000328C000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.686171794.000000000328C000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000C.00000003.690080981.00000000050A5000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690025139.00000000050A2000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
Source: Binary string: a,njr/nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000C.00000002.702514723.0000000000C92000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000C.00000003.690074916.00000000050A0000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000C.00000003.690074916.00000000050A0000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000C.00000003.690074916.00000000050A0000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000C.00000003.685885045.0000000003297000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685567908.0000000003297000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685783143.0000000003297000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000C.00000003.690025139.00000000050A2000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000C.00000003.685885045.0000000003297000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685567908.0000000003297000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685783143.0000000003297000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000C.00000003.690074916.00000000050A0000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000C.00000003.690074916.00000000050A0000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000C.00000003.685556011.0000000003291000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.685774449.0000000003291000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000C.00000003.690087047.00000000050A8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.690035610.00000000050A8000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000C.00000003.690016082.00000000050D1000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb^;V source: WerFault.exe, 0000000C.00000003.690074916.00000000050A0000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000C.00000003.685541913.000000000328C000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.686171794.000000000328C000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AE1195 push cs; iretd 0_2_02AE1197
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003060D push ecx; ret 2_2_10030620
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003060D push ecx; ret 3_2_10030620
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10030E7D push ecx; ret 3_2_10030E90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1003060D push ecx; ret 4_2_10030620
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10030E7D push ecx; ret 4_2_10030E90
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003E278 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 2_2_1003E278
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\YBfn5E3Dlw.dll

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Dfktehrjwgeevy\pakqi.bja Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Ytghf\cgnbs.rer:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Dfktehrjwgeevy\pakqi.bja:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect, 2_2_100250A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect, 3_2_100250A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 3_2_1001DFC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect, 4_2_100250A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 4_2_1001DFC0
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\rundll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 5636 Thread sleep time: -180000s >= -30000s Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\SysWOW64\regsvr32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\regsvr32.exe API coverage: 4.9 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 5.2 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 5.4 %
Source: C:\Windows\System32\svchost.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: Amcache.hve.12.dr Binary or memory string: VMware
Source: Amcache.hve.12.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.12.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.12.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.12.dr Binary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
Source: Amcache.hve.12.dr Binary or memory string: VMware, Inc.
Source: svchost.exe, 00000013.00000002.823902052.000002EBAE6F8000.00000004.00000001.sdmp Binary or memory string: (@Hyper-V RAW
Source: Amcache.hve.12.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.12.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.dr Binary or memory string: VMware7,1
Source: Amcache.hve.12.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.12.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: svchost.exe, 00000013.00000002.823886227.000002EBAE6E9000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.12.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.12.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.dr Binary or memory string: VMware, Inc.me
Source: Amcache.hve.12.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: svchost.exe, 00000013.00000002.823744367.000002EBAE687000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW`
Source: Amcache.hve.12.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_1002DB0D
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003E278 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 2_2_1003E278
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10002D40 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError, 2_2_10002D40
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AEF7F7 mov eax, dword ptr fs:[00000030h] 0_2_02AEF7F7
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02AEC6B8 LdrInitializeThunk, 0_2_02AEC6B8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_1003A8D4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_1002DB0D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_10032CB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_1003A8D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_1002DB0D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_10032CB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_1003A8D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_1002DB0D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_10032CB9

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 69.16.218.101 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.138.98.34 80 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\YBfn5E3Dlw.dll",#1 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6260 -ip 6260 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6260 -s 552 Jump to behavior
Source: loaddll32.exe, 00000000.00000000.678909155.00000000015A0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.679921964.00000000015A0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000000.678909155.00000000015A0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.679921964.00000000015A0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.678909155.00000000015A0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.679921964.00000000015A0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.678909155.00000000015A0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.679921964.00000000015A0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA, 2_2_1003E000
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement, 2_2_1003D098
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA, 2_2_1002129B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 2_2_1003D35E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 2_2_1003850E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 2_2_1003D7AE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 2_2_1003C7D2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 2_2_1003D8C5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 2_2_1003D95D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 2_2_1003D9D1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l, 2_2_1003F9F4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, 2_2_1003EA86
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA, 2_2_1003EABA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 2_2_1003DBA3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 2_2_1003EBF9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 2_2_1003DC64
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 2_2_1003DCCB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 2_2_1003DD07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 3_2_1003E000
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement, 3_2_1003D098
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA, 3_2_1002129B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 3_2_1003D35E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 3_2_1003850E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 3_2_1003D7AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 3_2_1003C7D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 3_2_1003D8C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 3_2_1003D95D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 3_2_1003D9D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l, 3_2_1003F9F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, 3_2_1003EA86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA, 3_2_1003EABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 3_2_1003DBA3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 3_2_1003EBF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 3_2_1003DC64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 3_2_1003DCCB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 3_2_1003DD07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement, 3_2_1003CE40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 4_2_1003E000
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement, 4_2_1003D098
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA, 4_2_1002129B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 4_2_1003D35E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 4_2_1003850E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 4_2_1003D7AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 4_2_1003C7D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 4_2_1003D8C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 4_2_1003D95D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 4_2_1003D9D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l, 4_2_1003F9F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, 4_2_1003EA86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA, 4_2_1003EABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 4_2_1003DBA3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 4_2_1003EBF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 4_2_1003DC64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 4_2_1003DCCB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 4_2_1003DD07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement, 4_2_1003CE40
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003732F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 2_2_1003732F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10024F01 _memset,GetVersionExA, 3_2_10024F01

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.12.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 7.2.rundll32.exe.59f0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5630000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4720000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5690000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.53f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.b50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.1270000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.56c0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.12a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.1270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.2ab0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2ae0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.2ae0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3450000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5500000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5420000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.980000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5660000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.b80000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.53f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.2ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.11c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.59f0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3600000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.47b0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4780000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.2ab0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.b50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.54d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.11c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5a20000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2ab0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.2ae0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4750000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4720000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5690000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.b20000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5630000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.2ab0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.54d0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3450000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.c60000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.11f0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4780000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.680031217.0000000002AE1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.687070469.0000000000B50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.684992268.0000000003450000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.703964616.0000000002AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.687871792.0000000005661000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.687254093.0000000005501000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.686420197.00000000053F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.688080295.0000000005690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.687539122.0000000005630000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.670630923.0000000001270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.679124499.0000000002AE1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.717791244.00000000047B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.687321793.0000000000B81000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.717740715.0000000004780000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.704266978.0000000002AE1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.679046535.0000000002AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.670153557.0000000000C61000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.670105180.0000000000980000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.679999425.0000000002AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.688465307.00000000059F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.716834900.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.688659098.0000000005A21000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.670654175.00000000012A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.716329937.0000000000B21000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.688152191.00000000056C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.717660130.0000000004720000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.715971380.00000000004F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.686930115.00000000054D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.716952958.00000000011F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.717702240.0000000004751000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.685377727.0000000003601000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.686624450.0000000005421000.00000020.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt, 2_2_10001160
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt, 3_2_10001160
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt, 4_2_10001160
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs