Windows Analysis Report
Bg6DyC7lDh

Overview

General Information

Sample Name: Bg6DyC7lDh (renamed file extension from none to dll)
Analysis ID: 562461
MD5: 3fa1bec287b995a7f96dc3866eff577d
SHA1: c721507f4a11e090f107d071a99aaeffbdc0ea43
SHA256: f7a5f6bc0833474da5450e33786893ac7b996ba5e91ed0f7d3243dc4d7db5486
Tags: 32dllexetrojan
Infos:

Detection

Emotet
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Found malware configuration
Source: 11.2.rundll32.exe.5650000.18.raw.unpack Malware Configuration Extractor: Emotet {"C2 list": ["74.207.230.120:8080", "139.196.72.155:8080", "37.44.244.177:8080", "37.59.209.141:8080", "116.124.128.206:8080", "217.182.143.207:443", "54.37.228.122:443", "203.153.216.46:443", "168.197.250.14:80", "207.148.81.119:8080", "195.154.146.35:443", "78.46.73.125:443", "191.252.103.16:80", "210.57.209.142:8080", "185.168.130.138:443", "142.4.219.173:8080", "118.98.72.86:443", "78.47.204.80:443", "159.69.237.188:443", "190.90.233.66:443", "104.131.62.48:8080", "62.171.178.147:8080", "185.148.168.15:8080", "54.38.242.185:443", "198.199.98.78:8080", "194.9.172.107:8080", "85.214.67.203:8080", "66.42.57.149:443", "185.148.168.220:8080", "103.41.204.169:8080", "128.199.192.135:8080", "195.77.239.39:8080", "59.148.253.194:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}
Multi AV Scanner detection for submitted file
Source: Bg6DyC7lDh.dll Virustotal: Detection: 14% Perma Link
Machine Learning detection for sample
Source: Bg6DyC7lDh.dll Joe Sandbox ML: detected

Compliance
barindex
Uses 32bit PE files
Source: Bg6DyC7lDh.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 0_2_10021854
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 2_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 3_2_10021854

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 74.207.230.120 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 139.196.72.155 144 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 74.207.230.120:8080
Source: Malware configuration extractor IPs: 139.196.72.155:8080
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 37.59.209.141:8080
Source: Malware configuration extractor IPs: 116.124.128.206:8080
Source: Malware configuration extractor IPs: 217.182.143.207:443
Source: Malware configuration extractor IPs: 54.37.228.122:443
Source: Malware configuration extractor IPs: 203.153.216.46:443
Source: Malware configuration extractor IPs: 168.197.250.14:80
Source: Malware configuration extractor IPs: 207.148.81.119:8080
Source: Malware configuration extractor IPs: 195.154.146.35:443
Source: Malware configuration extractor IPs: 78.46.73.125:443
Source: Malware configuration extractor IPs: 191.252.103.16:80
Source: Malware configuration extractor IPs: 210.57.209.142:8080
Source: Malware configuration extractor IPs: 185.168.130.138:443
Source: Malware configuration extractor IPs: 142.4.219.173:8080
Source: Malware configuration extractor IPs: 118.98.72.86:443
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 159.69.237.188:443
Source: Malware configuration extractor IPs: 190.90.233.66:443
Source: Malware configuration extractor IPs: 104.131.62.48:8080
Source: Malware configuration extractor IPs: 62.171.178.147:8080
Source: Malware configuration extractor IPs: 185.148.168.15:8080
Source: Malware configuration extractor IPs: 54.38.242.185:443
Source: Malware configuration extractor IPs: 198.199.98.78:8080
Source: Malware configuration extractor IPs: 194.9.172.107:8080
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 66.42.57.149:443
Source: Malware configuration extractor IPs: 185.148.168.220:8080
Source: Malware configuration extractor IPs: 103.41.204.169:8080
Source: Malware configuration extractor IPs: 128.199.192.135:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 59.148.253.194:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View IP Address: 104.131.62.48 104.131.62.48
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49762 -> 74.207.230.120:8080
Source: global traffic TCP traffic: 192.168.2.7:49765 -> 139.196.72.155:8080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 15
Source: unknown TCP traffic detected without corresponding DNS query: 74.207.230.120
Source: unknown TCP traffic detected without corresponding DNS query: 74.207.230.120
Source: unknown TCP traffic detected without corresponding DNS query: 74.207.230.120
Source: unknown TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: unknown TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: unknown TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: unknown TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: unknown TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: unknown TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: unknown TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: unknown TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: unknown TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: unknown TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: unknown TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: unknown TCP traffic detected without corresponding DNS query: 139.196.72.155
Source: svchost.exe, 0000001A.00000003.451274453.000002DEDAF44000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001A.00000003.451274453.000002DEDAF44000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001A.00000003.451210365.000002DEDAF90000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-21T16:24:38.4044683Z||.||031efeb6-e916-442f-a665-3e8426d4bc5a||1152921505694396307||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 0000001A.00000003.451210365.000002DEDAF90000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-21T16:24:38.4044683Z||.||031efeb6-e916-442f-a665-3e8426d4bc5a||1152921505694396307||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 0000001A.00000003.451210365.000002DEDAF90000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","A equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001A.00000003.451210365.000002DEDAF90000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","A equals www.twitter.com (Twitter)
Source: svchost.exe, 00000005.00000002.614981477.000002FA99060000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.473621700.000002DEDAF00000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000005.00000002.614917318.000002FA99012000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.473526103.000002DEDA6ED000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: 77EC63BDA74BD0D0E0426DC8F80085060.11.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 0000000B.00000003.338094646.0000000005511000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?bd5fe19e122a6
Source: svchost.exe, 0000001A.00000003.443630985.000002DEDAF90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.444014442.000002DEDAF7E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 0000000D.00000002.322076624.000001A9C1413000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000A.00000002.779027574.000001FEA5042000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000A.00000002.779027574.000001FEA5042000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000A.00000002.779027574.000001FEA5042000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000A.00000002.779027574.000001FEA5042000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.comr
Source: svchost.exe, 0000000D.00000003.321017680.000001A9C1460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000A.00000002.779027574.000001FEA5042000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000A.00000002.779027574.000001FEA5042000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000D.00000003.321127969.000001A9C144B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000D.00000002.322127503.000001A9C144D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321127969.000001A9C144B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000D.00000003.321017680.000001A9C1460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000D.00000002.322108516.000001A9C143E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000D.00000002.322127503.000001A9C144D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321127969.000001A9C144B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000D.00000003.320908225.000001A9C1467000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.322149285.000001A9C146A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000D.00000003.321017680.000001A9C1460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000D.00000002.322127503.000001A9C144D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321127969.000001A9C144B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000D.00000003.321017680.000001A9C1460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000D.00000002.322108516.000001A9C143E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000D.00000003.321017680.000001A9C1460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000D.00000003.321017680.000001A9C1460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000D.00000003.321017680.000001A9C1460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000D.00000003.299068688.000001A9C1431000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000D.00000002.322115623.000001A9C1442000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321477876.000001A9C1441000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000D.00000002.322115623.000001A9C1442000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321477876.000001A9C1441000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000D.00000003.321017680.000001A9C1460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000D.00000002.322122135.000001A9C1447000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.322090596.000001A9C1429000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321252960.000001A9C1446000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000001A.00000003.443630985.000002DEDAF90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.444014442.000002DEDAF7E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000D.00000003.321127969.000001A9C144B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000D.00000002.322122135.000001A9C1447000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321252960.000001A9C1446000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000D.00000002.322122135.000001A9C1447000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321252960.000001A9C1446000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000D.00000003.321127969.000001A9C144B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.322115623.000001A9C1442000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321477876.000001A9C1441000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000D.00000003.321017680.000001A9C1460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000D.00000002.322108516.000001A9C143E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000D.00000003.299068688.000001A9C1431000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000D.00000002.322108516.000001A9C143E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000D.00000002.322108516.000001A9C143E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.322076624.000001A9C1413000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000D.00000003.299068688.000001A9C1431000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000D.00000003.321367338.000001A9C1445000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000D.00000003.299068688.000001A9C1431000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000D.00000003.299068688.000001A9C1431000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321593288.000001A9C143A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000D.00000002.322127503.000001A9C144D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.321127969.000001A9C144B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 0000001A.00000003.443630985.000002DEDAF90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.444014442.000002DEDAF7E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001A.00000003.443630985.000002DEDAF90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.444014442.000002DEDAF7E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001A.00000003.447105193.000002DEDB402000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.446901322.000002DEDAFC2000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.446829559.000002DEDAF8A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.446821206.000002DEDAF79000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.447041610.000002DEDAFAB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.446970410.000002DEDAFC2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10012C30 _memset,connect,send,recv, 2_2_10012C30

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.276483841.000000000153B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 0_2_1001B43F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 2_2_1001B43F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 3_2_1001B43F

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: Bg6DyC7lDh.dll, type: SAMPLE
Source: Yara match File source: 11.2.rundll32.exe.5250000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5700000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.46f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5000000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4c00000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.53a0000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5650000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4e40000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5460000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4fa0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5380000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4fa0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4f70000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5170000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5100000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.de0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.54e0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.4cd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4de0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.14d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.11c0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5350000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5510000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4e10000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5280000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.4dc0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4fd0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.51a0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5100000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.1280000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5670000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.4870000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5350000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.1180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5650000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4af0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.53b0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4e40000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5060000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.46f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.4ea0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4c30000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5190000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4af0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5370000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.4ea0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.1500000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.4cd0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.56a0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.48a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5130000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.4dc0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.e10000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.56d0000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5490000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4de0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.c40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.53b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5070000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.4870000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5510000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5680000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5000000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4af0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.e50000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5070000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.1280000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.1180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.4ed0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5460000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.50c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.56d0000.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5250000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5370000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4b20000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.14d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5030000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.4d10000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5540000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.4df0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5670000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4c00000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.4730000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.de0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5170000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5060000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.287494272.0000000005381000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.780209080.0000000005701000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.296338746.0000000004F71000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779999636.0000000005491000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.268531340.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.296293943.0000000004E11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.288455858.0000000004870000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.274458477.0000000001501000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.287862922.0000000005541000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779143719.0000000000E51000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.294626282.0000000001180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779418909.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.266354631.0000000004D11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.296431152.0000000005131000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.287111363.0000000005170000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.287132788.00000000051A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.262826472.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.288482327.00000000048A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779603939.0000000005000000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.287038579.0000000005070000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.778637126.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779449781.0000000004DF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779771482.0000000005281000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779542982.0000000004ED1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.296459967.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.296356591.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779971740.0000000005460000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.295961219.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.285682496.0000000001280000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.296375902.0000000004FD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779631051.0000000005031000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.287469423.0000000005350000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779317583.0000000004731000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.295334948.0000000004B21000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.287075796.00000000050C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.285736531.0000000004AF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.780141318.0000000005681000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779684590.0000000005191000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.268562280.0000000000E11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.271956434.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779867718.0000000005370000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.295156896.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.287604820.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.296406434.0000000005100000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.296276538.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.293864491.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779237002.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779911189.00000000053A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.780100280.0000000005650000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.287829918.0000000005510000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779726684.0000000005250000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.287729935.00000000054E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.296314729.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.296141210.0000000004C31000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.288375637.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.266639849.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779504243.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.780181061.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779651988.0000000005060000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.780299654.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.294816386.00000000011C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.288125580.00000000056A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.288102612.0000000005670000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.276915244.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.268591855.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

System Summary
barindex
Uses 32bit PE files
Source: Bg6DyC7lDh.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Lvetlyszixrl\grmpeubxplti.rrq:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Lvetlyszixrl\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10036007 0_2_10036007
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10041050 0_2_10041050
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1003130F 0_2_1003130F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10030460 0_2_10030460
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10041592 0_2_10041592
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1003E59F 0_2_1003E59F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10036007 2_2_10036007
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10041050 2_2_10041050
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003130F 2_2_1003130F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10030460 2_2_10030460
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10041592 2_2_10041592
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003E59F 2_2_1003E59F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10040B0E 2_2_10040B0E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10041C56 2_2_10041C56
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10036CB5 2_2_10036CB5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001CD16 2_2_1001CD16
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10042D21 2_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10036007 3_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10041050 3_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003130F 3_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10030460 3_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10041592 3_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003E59F 3_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10040B0E 3_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10041C56 3_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10036CB5 3_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001CD16 3_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10042D21 3_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011D3512 4_2_011D3512
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011C9700 4_2_011C9700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011CF93D 4_2_011CF93D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011E1B54 4_2_011E1B54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011C8D95 4_2_011C8D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011DB391 4_2_011DB391
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011CE243 4_2_011CE243
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011DE498 4_2_011DE498
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011CEC9B 4_2_011CEC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011DEE94 4_2_011DEE94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011DBE8C 4_2_011DBE8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011D74DD 4_2_011D74DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011C68DE 4_2_011C68DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011D5CF9 4_2_011D5CF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011C70ED 4_2_011C70ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011C911A 4_2_011C911A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011CBD0F 4_2_011CBD0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011CC309 4_2_011CC309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011DFF31 4_2_011DFF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011D0D33 4_2_011D0D33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011C472E 4_2_011C472E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011E0D5B 4_2_011E0D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011CF154 4_2_011CF154
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011DA156 4_2_011DA156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011D4B56 4_2_011D4B56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011C1950 4_2_011C1950
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011D2753 4_2_011D2753
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011C194C 4_2_011C194C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011CBB4B 4_2_011CBB4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011D0946 4_2_011D0946
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011D3D41 4_2_011D3D41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011C777B 4_2_011C777B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011D8D71 4_2_011D8D71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011CAB66 4_2_011CAB66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011C1F9B 4_2_011C1F9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011E1993 4_2_011E1993
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011CFD8C 4_2_011CFD8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011DC38F 4_2_011DC38F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011CF58F 4_2_011CF58F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011D9186 4_2_011D9186
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011C7B82 4_2_011C7B82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011C3FB8 4_2_011C3FB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011DC9A9 4_2_011DC9A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011D99AA 4_2_011D99AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011D41A7 4_2_011D41A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011C2FA1 4_2_011C2FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011D45CD 4_2_011D45CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011CCFCE 4_2_011CCFCE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011DD3C8 4_2_011DD3C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011D7BCA 4_2_011D7BCA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011DEBFF 4_2_011DEBFF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011D2BF6 4_2_011D2BF6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011D561F 4_2_011D561F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011C6A1F 4_2_011C6A1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011CB41A 4_2_011CB41A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011D363D 4_2_011D363D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011D1831 4_2_011D1831
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011C2830 4_2_011C2830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011D542E 4_2_011D542E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011DA429 4_2_011DA429
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011C6C29 4_2_011C6C29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011CB821 4_2_011CB821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011CC850 4_2_011CC850
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011C8650 4_2_011C8650
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011D5040 4_2_011D5040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011CCA43 4_2_011CCA43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011C9A7D 4_2_011C9A7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011E3672 4_2_011E3672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011E146E 4_2_011E146E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011CE86A 4_2_011CE86A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011D026B 4_2_011D026B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011E0867 4_2_011E0867
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011D6864 4_2_011D6864
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011D129C 4_2_011D129C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011D109E 4_2_011D109E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011CAE9A 4_2_011CAE9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011DCC89 4_2_011DCC89
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011C6083 4_2_011C6083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011D04B8 4_2_011D04B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011E04DE 4_2_011E04DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011C6ED6 4_2_011C6ED6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011DD8D7 4_2_011DD8D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011DACD3 4_2_011DACD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011C44FA 4_2_011C44FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011C88F4 4_2_011C88F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011D64F1 4_2_011D64F1
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 10032B38 appears 32 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 10030D27 appears 91 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10032B38 appears 45 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10030D5A appears 32 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10030D27 appears 106 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10032B38 appears 45 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030D5A appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030D27 appears 118 times
Sample file is different than original file name gathered from version info
Source: Bg6DyC7lDh.dll Binary or memory string: OriginalFilenameFinalChatSocketCli.exe> vs Bg6DyC7lDh.dll
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: Bg6DyC7lDh.dll Virustotal: Detection: 14%
Source: Bg6DyC7lDh.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Bg6DyC7lDh.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Bg6DyC7lDh.dll,DllRegisterServer
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lvetlyszixrl\grmpeubxplti.rrq",FloWMCkThX
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Lvetlyszixrl\grmpeubxplti.rrq",DllRegisterServer
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Bg6DyC7lDh.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Bg6DyC7lDh.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lvetlyszixrl\grmpeubxplti.rrq",FloWMCkThX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Lvetlyszixrl\grmpeubxplti.rrq",DllRegisterServer Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal92.troj.evad.winDLL@32/9@0/34
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",#1
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5728:120:WilError_01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100125C0 _printf,FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,_malloc, 0_2_100125C0
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Bg6DyC7lDh.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Bg6DyC7lDh.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Bg6DyC7lDh.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Bg6DyC7lDh.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Bg6DyC7lDh.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10032B7D push ecx; ret 2_2_10032B90
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10030DFF push ecx; ret 2_2_10030E12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10032B7D push ecx; ret 3_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10030DFF push ecx; ret 3_2_10030E12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011C114C push ds; ret 4_2_011C114D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011C15F5 push cs; retf 4_2_011C15FE
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 0_2_1003D873
PE file contains an invalid checksum
Source: Bg6DyC7lDh.dll Static PE information: real checksum: 0x8f55d should be: 0x93bb7
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Bg6DyC7lDh.dll

Persistence and Installation Behavior
barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Lvetlyszixrl\grmpeubxplti.rrq Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Lvetlyszixrl\grmpeubxplti.rrq:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Zgbnpellpfgcalth\ckic.obq:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100134F0 IsIconic, 0_2_100134F0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100134F0 IsIconic, 2_2_100134F0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect, 2_2_10018C9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100134F0 IsIconic, 3_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect, 3_2_10018C9A
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\svchost.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6344 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6844 Thread sleep time: -150000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\System32\loaddll32.exe API coverage: 4.6 %
Source: C:\Windows\SysWOW64\regsvr32.exe API coverage: 3.6 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.8 %
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10030334 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect, 0_2_10030334
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 0_2_10021854
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 2_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 3_2_10021854
Source: C:\Windows\SysWOW64\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000005.00000002.614981477.000002FA99060000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000005.00000002.614748959.000002FA93C29000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`3
Source: svchost.exe, 00000005.00000002.614970809.000002FA99054000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.473526103.000002DEDA6ED000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.473428981.000002DEDA6A5000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000001A.00000002.473503354.000002DEDA6E1000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 5-A1ED- @Hyper-V RAW
Source: svchost.exe, 0000000A.00000002.779103437.000001FEA5066000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.779001338.000002352F429000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging
barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_10037657
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 0_2_1003D873
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10002280 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError, 0_2_10002280
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_011DD374 mov eax, dword ptr fs:[00000030h] 4_2_011DD374
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_10037657
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_1002F81E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_10037657
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_1002F81E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_1003ACCC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_1003ACCC

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 74.207.230.120 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 139.196.72.155 144 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Bg6DyC7lDh.dll",#1 Jump to behavior

Language, Device and Operating System Detection
barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA, 0_2_1003F570
Source: C:\Windows\System32\loaddll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 0_2_10043730
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA, 2_2_1003F570
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 2_2_10043730
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 2_2_10014B71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 3_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 3_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 3_2_10014B71
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003DAA7 cpuid 2_2_1003DAA7
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1003906D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_1003906D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003CE1A __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 2_2_1003CE1A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10030A37 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,GetCurrentThreadId,__freeptd, 0_2_10030A37

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 0000000F.00000002.778982827.000002B012E40000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000F.00000002.778875427.000002B012E13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.779041295.000002B012F02000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: Bg6DyC7lDh.dll, type: SAMPLE
Source: Yara match File source: 11.2.rundll32.exe.5250000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5700000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.46f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5000000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4c00000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.53a0000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5650000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4e40000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5460000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4fa0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5380000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4fa0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4f70000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5170000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5100000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.de0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.54e0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.4cd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4de0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.14d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.11c0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5350000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5510000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4e10000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5280000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.4dc0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4fd0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.51a0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5100000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.1280000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5670000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.4870000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5350000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.1180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5650000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4af0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.53b0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4e40000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5060000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.46f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.4ea0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4c30000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5190000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4af0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5370000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.4ea0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.1500000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.4cd0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.56a0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.48a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5130000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.4dc0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.e10000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.56d0000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5490000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4de0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.c40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.53b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5070000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.4870000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5510000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5680000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5000000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4af0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.e50000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5070000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.1280000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.1180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.4ed0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5460000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.50c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.56d0000.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5250000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5370000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4b20000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.14d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5030000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.4d10000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5540000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.4df0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5670000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4c00000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.4730000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.de0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5170000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.5060000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.287494272.0000000005381000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.780209080.0000000005701000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.296338746.0000000004F71000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779999636.0000000005491000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.268531340.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.296293943.0000000004E11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.288455858.0000000004870000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.274458477.0000000001501000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.287862922.0000000005541000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779143719.0000000000E51000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.294626282.0000000001180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779418909.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.266354631.0000000004D11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.296431152.0000000005131000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.287111363.0000000005170000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.287132788.00000000051A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.262826472.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.288482327.00000000048A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779603939.0000000005000000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.287038579.0000000005070000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.778637126.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779449781.0000000004DF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779771482.0000000005281000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779542982.0000000004ED1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.296459967.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.296356591.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779971740.0000000005460000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.295961219.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.285682496.0000000001280000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.296375902.0000000004FD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779631051.0000000005031000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.287469423.0000000005350000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779317583.0000000004731000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.295334948.0000000004B21000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.287075796.00000000050C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.285736531.0000000004AF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.780141318.0000000005681000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779684590.0000000005191000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.268562280.0000000000E11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.271956434.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779867718.0000000005370000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.295156896.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.287604820.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.296406434.0000000005100000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.296276538.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.293864491.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779237002.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779911189.00000000053A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.780100280.0000000005650000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.287829918.0000000005510000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779726684.0000000005250000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.287729935.00000000054E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.296314729.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.296141210.0000000004C31000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.288375637.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.266639849.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779504243.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.780181061.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.779651988.0000000005060000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.780299654.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.294816386.00000000011C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.288125580.00000000056A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.288102612.0000000005670000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.276915244.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.268591855.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562461 Sample: Bg6DyC7lDh Startdate: 28/01/2022 Architecture: WINDOWS Score: 92 46 210.57.209.142 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->46 48 118.98.72.86 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID Indonesia 2->48 50 29 other IPs or domains 2->50 58 Found malware configuration 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 Yara detected Emotet 2->62 64 3 other signatures 2->64 9 loaddll32.exe 1 2->9         started        11 svchost.exe 2->11         started        14 svchost.exe 9 1 2->14         started        17 7 other processes 2->17 signatures3 process4 dnsIp5 19 rundll32.exe 2 9->19         started        22 cmd.exe 1 9->22         started        24 regsvr32.exe 9->24         started        26 rundll32.exe 9->26         started        72 Changes security center settings (notifications, updates, antivirus, firewall) 11->72 28 MpCmdRun.exe 1 11->28         started        56 127.0.0.1 unknown unknown 14->56 signatures6 process7 signatures8 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->66 30 rundll32.exe 19->30         started        32 rundll32.exe 22->32         started        34 rundll32.exe 24->34         started        36 conhost.exe 28->36         started        process9 process10 38 rundll32.exe 30->38         started        42 rundll32.exe 2 32->42         started        44 BackgroundTransferHost.exe 13 32->44         started        dnsIp11 52 74.207.230.120, 49762, 8080 LINODE-APLinodeLLCUS United States 38->52 54 139.196.72.155, 49765, 8080 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 38->54 68 System process connects to network (likely due to code injection or exploit) 38->68 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 42->70 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
207.148.81.119
 unknown United States
20473 AS-CHOOPAUS true
104.131.62.48
 unknown United States
14061 DIGITALOCEAN-ASNUS true
198.199.98.78
 unknown United States
14061 DIGITALOCEAN-ASNUS true
194.9.172.107
 unknown unknown
207992 FEELBFR true
59.148.253.194
 unknown Hong Kong
9269 HKBN-AS-APHongKongBroadbandNetworkLtdHK true
74.207.230.120
 unknown United States
63949 LINODE-APLinodeLLCUS true
103.41.204.169
 unknown Indonesia
58397 INFINYS-AS-IDPTInfinysSystemIndonesiaID true
85.214.67.203
 unknown Germany
6724 STRATOSTRATOAGDE true
191.252.103.16
 unknown Brazil
27715 LocawebServicosdeInternetSABR true
168.197.250.14
 unknown Argentina
264776 OmarAnselmoRipollTDCNETAR true
185.148.168.15
 unknown Germany
44780 EVERSCALE-ASDE true
66.42.57.149
 unknown United States
20473 AS-CHOOPAUS true
139.196.72.155
 unknown China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd true
217.182.143.207
 unknown France
16276 OVHFR true
203.153.216.46
 unknown Indonesia
45291 SURF-IDPTSurfindoNetworkID true
159.69.237.188
 unknown Germany
24940 HETZNER-ASDE true
116.124.128.206
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
37.59.209.141
 unknown France
16276 OVHFR true
78.46.73.125
 unknown Germany
24940 HETZNER-ASDE true
210.57.209.142
 unknown Indonesia
38142 UNAIR-AS-IDUniversitasAirlanggaID true
185.148.168.220
 unknown Germany
44780 EVERSCALE-ASDE true
54.37.228.122
 unknown France
16276 OVHFR true
185.168.130.138
 unknown Ukraine
49720 GIGACLOUD-ASUA true
190.90.233.66
 unknown Colombia
18678 INTERNEXASAESPCO true
142.4.219.173
 unknown Canada
16276 OVHFR true
54.38.242.185
 unknown France
16276 OVHFR true
195.154.146.35
 unknown France
12876 OnlineSASFR true
195.77.239.39
 unknown Spain
60493 FICOSA-ASES true
78.47.204.80
 unknown Germany
24940 HETZNER-ASDE true
118.98.72.86
 unknown Indonesia
7713 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID true
37.44.244.177
 unknown Germany
47583 AS-HOSTINGERLT true
62.171.178.147
 unknown United Kingdom
51167 CONTABODE true
128.199.192.135
 unknown United Kingdom
14061 DIGITALOCEAN-ASNUS true

Private

IP
127.0.0.1