Windows Analysis Report 9fC0as7YLE

Overview

General Information

Sample Name: 9fC0as7YLE (renamed file extension from none to dll)
Analysis ID: 524854
MD5: 1436a43cdd37d5e362b0699552b446ed
SHA1: c3c2a766ecd7b01e4aec5810ed5dbeff6036c432
SHA256: f7c6e16173099ee6d999c37b5eeb327446cb836ff6c5455454cfb22775fb9624
Tags: 32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Changes security center settings (notifications, updates, antivirus, firewall)
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 18.2.rundll32.exe.9d4738.1.raw.unpack Malware Configuration Extractor: Emotet {"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}
Multi AV Scanner detection for submitted file
Source: 9fC0as7YLE.dll Virustotal: Detection: 19% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: 9fC0as7YLE.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: unknown HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.5:49767 version: TLS 1.2
Source: 9fC0as7YLE.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EE0D1EE FindFirstFileExA, 0_2_6EE0D1EE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EE0D1EE FindFirstFileExA, 2_2_6EE0D1EE

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.5:49767 -> 51.178.61.60:443
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 51.178.61.60 187 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 51.178.61.60:443
Source: Malware configuration extractor IPs: 168.197.250.14:80
Source: Malware configuration extractor IPs: 45.79.33.48:8080
Source: Malware configuration extractor IPs: 196.44.98.190:8080
Source: Malware configuration extractor IPs: 177.72.80.14:7080
Source: Malware configuration extractor IPs: 51.210.242.234:8080
Source: Malware configuration extractor IPs: 185.148.169.10:8080
Source: Malware configuration extractor IPs: 142.4.219.173:8080
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 78.46.73.125:443
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 37.59.209.141:8080
Source: Malware configuration extractor IPs: 191.252.103.16:80
Source: Malware configuration extractor IPs: 54.38.242.185:443
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 54.37.228.122:443
Source: Malware configuration extractor IPs: 207.148.81.119:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 66.42.57.149:443
Source: Malware configuration extractor IPs: 195.154.146.35:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: EcobandGH EcobandGH
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /PpGHOEhwQiOjTmUx HTTP/1.1Cookie: YLrNoFUoT=bKEzC4TtBgWiCpCm5V4NTfJlsG4xSuG6WBwZ0+s0+7maqRUE8+Vd405E9iLW76EKwoJu0oJG0v7OfqgmBnIwDVZMen2UWzwOktsPtg0rCDnmNkpEuCrwt8Qz2qrcsIX4r5n9v3PiTM0NQYDzsXvP4yDBcV8aiSCWx/8DuJLx8jSP8VTvHZOmbpvM2UD0mZw09mL35Wk+3mE6+Rj+HvFKD3DgAJ01grD+hBVrF/i3cg5gzPsKc4mPP0Z6+CkDl/1zRoKRPtwmJRocbJ/KkJ4J+/liajE=Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View IP Address: 196.44.98.190 196.44.98.190
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: svchost.exe, 00000024.00000003.666031431.000002626C7A0000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z||.||2bbf585d-742f-4e5f-bf99-34064e28fbbf||1152921505694183347||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000024.00000003.666031431.000002626C7A0000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z||.||2bbf585d-742f-4e5f-bf99-34064e28fbbf||1152921505694183347||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000024.00000003.666031431.000002626C7A0000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV"," equals www.facebook.com (Facebook)
Source: svchost.exe, 00000024.00000003.666031431.000002626C7A0000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV"," equals www.twitter.com (Twitter)
Source: svchost.exe, 00000005.00000002.623863529.0000028AF7287000.00000004.00000001.sdmp, svchost.exe, 00000024.00000002.682183919.000002626C700000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000005.00000002.623723166.0000028AF7200000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000024.00000003.658474810.000002626C79C000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658615820.000002626CC22000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658533477.000002626C7AD000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658442535.000002626C78B000.00000004.00000001.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 0000000D.00000002.394905935.00000233D1013000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000007.00000002.773648072.00000263E7E3E000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000007.00000002.773648072.00000263E7E3E000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000007.00000002.773648072.00000263E7E3E000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000D.00000003.394380183.00000233D1061000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000007.00000002.773648072.00000263E7E3E000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000007.00000002.773648072.00000263E7E3E000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000D.00000003.394512227.00000233D105A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000D.00000003.394380183.00000233D1061000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000D.00000002.394999140.00000233D103D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000D.00000003.394380183.00000233D1061000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000D.00000003.394320457.00000233D1049000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000D.00000003.394380183.00000233D1061000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000D.00000002.394999140.00000233D103D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000D.00000003.394380183.00000233D1061000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000D.00000003.394380183.00000233D1061000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000D.00000003.394380183.00000233D1061000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000D.00000003.394579382.00000233D1041000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000D.00000003.394579382.00000233D1041000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000D.00000003.394380183.00000233D1061000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000D.00000003.394512227.00000233D105A000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.394544611.00000233D1040000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000024.00000003.658474810.000002626C79C000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658615820.000002626CC22000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658533477.000002626C7AD000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658442535.000002626C78B000.00000004.00000001.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000D.00000003.394512227.00000233D105A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000D.00000003.394512227.00000233D105A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000D.00000003.394512227.00000233D105A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000D.00000002.395055779.00000233D1064000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000D.00000003.394380183.00000233D1061000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000D.00000002.394999140.00000233D103D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000D.00000003.363860154.00000233D1031000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000D.00000002.394999140.00000233D103D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000D.00000002.394999140.00000233D103D000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.394905935.00000233D1013000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000D.00000003.394544611.00000233D1040000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000D.00000003.394544611.00000233D1040000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000D.00000003.363860154.00000233D1031000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000D.00000003.363860154.00000233D1031000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000D.00000002.394905935.00000233D1013000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 00000024.00000003.658474810.000002626C79C000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658615820.000002626CC22000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658533477.000002626C7AD000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658442535.000002626C78B000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000024.00000003.658474810.000002626C79C000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658615820.000002626CC22000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658533477.000002626C7AD000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658442535.000002626C78B000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000024.00000003.660846530.000002626C7BE000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.660897729.000002626C79C000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.660806852.000002626C79C000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: global traffic HTTP traffic detected: GET /PpGHOEhwQiOjTmUx HTTP/1.1Cookie: YLrNoFUoT=bKEzC4TtBgWiCpCm5V4NTfJlsG4xSuG6WBwZ0+s0+7maqRUE8+Vd405E9iLW76EKwoJu0oJG0v7OfqgmBnIwDVZMen2UWzwOktsPtg0rCDnmNkpEuCrwt8Qz2qrcsIX4r5n9v3PiTM0NQYDzsXvP4yDBcV8aiSCWx/8DuJLx8jSP8VTvHZOmbpvM2UD0mZw09mL35Wk+3mE6+Rj+HvFKD3DgAJ01grD+hBVrF/i3cg5gzPsKc4mPP0Z6+CkDl/1zRoKRPtwmJRocbJ/KkJ4J+/liajE=Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.5:49767 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDE5EE0 GetClipboardViewer,GetClipboardViewer,GetSystemDefaultLangID,GetOpenClipboardWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetCurrentThread,GetForegroundWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,AnyPopup,GetUserDefaultUILanguage,GetUserDefaultUILanguage,GetCurrentThread,GetCurrentThread,GetErrorMode,GetErrorMode,GetThreadErrorMode, 0_2_6EDE5EE0

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 6.2.rundll32.exe.db4210.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.e243b8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.5841b0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.115c740.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.9d4738.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.9d4738.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.db4210.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.e243b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.115c740.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.5841b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.33e4348.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.33e4348.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.352594245.0000000000E0A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.773392509.00000000009BA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.377195356.00000000033CA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.310049703.00000000004A5000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.364267803.0000000000D9A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.310032322.000000000056A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.365672207.000000000114A000.00000004.00000020.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: 9fC0as7YLE.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Dkrmyysnwhbfjv\jwypbohhelrk.uxw:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Dkrmyysnwhbfjv\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D8CAA8 0_2_00D8CAA8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D7441E 0_2_00D7441E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D843B3 0_2_00D843B3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D80ADE 0_2_00D80ADE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D908D1 0_2_00D908D1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D87ED1 0_2_00D87ED1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D8CCD4 0_2_00D8CCD4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D8BEC9 0_2_00D8BEC9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D730F6 0_2_00D730F6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D8A8F0 0_2_00D8A8F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D8DEF4 0_2_00D8DEF4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D8AEEB 0_2_00D8AEEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D8ECE3 0_2_00D8ECE3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D7AC95 0_2_00D7AC95
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D8AC9B 0_2_00D8AC9B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D73C91 0_2_00D73C91
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D8D091 0_2_00D8D091
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D84E8A 0_2_00D84E8A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D8748A 0_2_00D8748A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D77283 0_2_00D77283
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D7CC8D 0_2_00D7CC8D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D90687 0_2_00D90687
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D890BA 0_2_00D890BA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D75AB2 0_2_00D75AB2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D898BD 0_2_00D898BD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D844AA 0_2_00D844AA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D7FEA0 0_2_00D7FEA0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D7DAAE 0_2_00D7DAAE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D878A5 0_2_00D878A5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D8D6A7 0_2_00D8D6A7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D79A57 0_2_00D79A57
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D72654 0_2_00D72654
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D72A46 0_2_00D72A46
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D73845 0_2_00D73845
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D72043 0_2_00D72043
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D8E441 0_2_00D8E441
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D7A048 0_2_00D7A048
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D71C76 0_2_00D71C76
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D8406E 0_2_00D8406E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D7F41F 0_2_00D7F41F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D81C10 0_2_00D81C10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D7E21C 0_2_00D7E21C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D74C00 0_2_00D74C00
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D71A0A 0_2_00D71A0A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D7220A 0_2_00D7220A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D78C09 0_2_00D78C09
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D91A3C 0_2_00D91A3C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D8F83F 0_2_00D8F83F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D7EC27 0_2_00D7EC27
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D7D223 0_2_00D7D223
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D79E22 0_2_00D79E22
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D85220 0_2_00D85220
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D7A3DF 0_2_00D7A3DF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D76FC4 0_2_00D76FC4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D925C3 0_2_00D925C3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D903F1 0_2_00D903F1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D7C5FE 0_2_00D7C5FE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D8BFE8 0_2_00D8BFE8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D755E8 0_2_00D755E8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D8D99A 0_2_00D8D99A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D7FD91 0_2_00D7FD91
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D91193 0_2_00D91193
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D8B397 0_2_00D8B397
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D79384 0_2_00D79384
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D84D8D 0_2_00D84D8D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D7758F 0_2_00D7758F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D74F8E 0_2_00D74F8E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D7BFB6 0_2_00D7BFB6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D87BB2 0_2_00D87BB2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D8B1B5 0_2_00D8B1B5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D84BAA 0_2_00D84BAA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D89DA1 0_2_00D89DA1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D82FA2 0_2_00D82FA2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D73F5C 0_2_00D73F5C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D7C158 0_2_00D7C158
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D73345 0_2_00D73345
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D8F14D 0_2_00D8F14D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D91343 0_2_00D91343
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D8577E 0_2_00D8577E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D8056A 0_2_00D8056A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D81F6B 0_2_00D81F6B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D8FD10 0_2_00D8FD10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D7251C 0_2_00D7251C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D73502 0_2_00D73502
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D72309 0_2_00D72309
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D90B34 0_2_00D90B34
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D9292B 0_2_00D9292B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D76B25 0_2_00D76B25
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D75923 0_2_00D75923
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDE6620 0_2_6EDE6620
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDE5730 0_2_6EDE5730
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EE0C6FE 0_2_6EE0C6FE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDE5EE0 0_2_6EDE5EE0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDFA60F 0_2_6EDFA60F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EE03780 0_2_6EE03780
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDEF700 0_2_6EDEF700
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDF1CD0 0_2_6EDF1CD0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDFDC5D 0_2_6EDFDC5D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDF7C47 0_2_6EDF7C47
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDFA29D 0_2_6EDFA29D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDE2A80 0_2_6EDE2A80
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDFDA2D 0_2_6EDFDA2D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDFA8B9 0_2_6EDFA8B9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EE13074 0_2_6EE13074
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDFA1F0 0_2_6EDFA1F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EE11929 0_2_6EE11929
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B390BA 2_2_00B390BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B3CAA8 2_2_00B3CAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B3DEF4 2_2_00B3DEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B3ECE3 2_2_00B3ECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B3AEEB 2_2_00B3AEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B408D1 2_2_00B408D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B2441E 2_2_00B2441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B2F41F 2_2_00B2F41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B24C00 2_2_00B24C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B22043 2_2_00B22043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B22A46 2_2_00B22A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B23845 2_2_00B23845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B37BB2 2_2_00B37BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B3D99A 2_2_00B3D99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B29384 2_2_00B29384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B3056A 2_2_00B3056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B25AB2 2_2_00B25AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B398BD 2_2_00B398BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B2FEA0 2_2_00B2FEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B3D6A7 2_2_00B3D6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B378A5 2_2_00B378A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B344AA 2_2_00B344AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B2DAAE 2_2_00B2DAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B3D091 2_2_00B3D091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B23C91 2_2_00B23C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B2AC95 2_2_00B2AC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B3AC9B 2_2_00B3AC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B27283 2_2_00B27283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B40687 2_2_00B40687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B34E8A 2_2_00B34E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B3748A 2_2_00B3748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B2CC8D 2_2_00B2CC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B3A8F0 2_2_00B3A8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B230F6 2_2_00B230F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B37ED1 2_2_00B37ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B3CCD4 2_2_00B3CCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B30ADE 2_2_00B30ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B3BEC9 2_2_00B3BEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B41A3C 2_2_00B41A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B3F83F 2_2_00B3F83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B29E22 2_2_00B29E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B2D223 2_2_00B2D223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B35220 2_2_00B35220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B2EC27 2_2_00B2EC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B31C10 2_2_00B31C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B2E21C 2_2_00B2E21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B21A0A 2_2_00B21A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B2220A 2_2_00B2220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B28C09 2_2_00B28C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B21C76 2_2_00B21C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B3406E 2_2_00B3406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B29A57 2_2_00B29A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B22654 2_2_00B22654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B3E441 2_2_00B3E441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B2A048 2_2_00B2A048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B343B3 2_2_00B343B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B2BFB6 2_2_00B2BFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B3B1B5 2_2_00B3B1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B32FA2 2_2_00B32FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B39DA1 2_2_00B39DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B34BAA 2_2_00B34BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B2FD91 2_2_00B2FD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B3B397 2_2_00B3B397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B41193 2_2_00B41193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B24F8E 2_2_00B24F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B2758F 2_2_00B2758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B34D8D 2_2_00B34D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B403F1 2_2_00B403F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B2C5FE 2_2_00B2C5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B255E8 2_2_00B255E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B3BFE8 2_2_00B3BFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B2A3DF 2_2_00B2A3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B26FC4 2_2_00B26FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B425C3 2_2_00B425C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B40B34 2_2_00B40B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B25923 2_2_00B25923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B26B25 2_2_00B26B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B4292B 2_2_00B4292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B3FD10 2_2_00B3FD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B2251C 2_2_00B2251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B23502 2_2_00B23502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B22309 2_2_00B22309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B3577E 2_2_00B3577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B31F6B 2_2_00B31F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B2C158 2_2_00B2C158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B23F5C 2_2_00B23F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B23345 2_2_00B23345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B41343 2_2_00B41343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B3F14D 2_2_00B3F14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EDE6620 2_2_6EDE6620
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EDE5730 2_2_6EDE5730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EE0C6FE 2_2_6EE0C6FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EDE5EE0 2_2_6EDE5EE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EE03780 2_2_6EE03780
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EDEF700 2_2_6EDEF700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EDF1CD0 2_2_6EDF1CD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EDFDC5D 2_2_6EDFDC5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EDFA29D 2_2_6EDFA29D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EDE2A80 2_2_6EDE2A80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EDFDA2D 2_2_6EDFDA2D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EE13074 2_2_6EE13074
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EE11929 2_2_6EE11929
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C441E 3_2_007C441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007DCAA8 3_2_007DCAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007D43B3 3_2_007D43B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C1C76 3_2_007C1C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007D406E 3_2_007D406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C2654 3_2_007C2654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C9A57 3_2_007C9A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CA048 3_2_007CA048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C3845 3_2_007C3845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C2A46 3_2_007C2A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007DE441 3_2_007DE441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C2043 3_2_007C2043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007DF83F 3_2_007DF83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007E1A3C 3_2_007E1A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CEC27 3_2_007CEC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007D5220 3_2_007D5220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C9E22 3_2_007C9E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CD223 3_2_007CD223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CE21C 3_2_007CE21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CF41F 3_2_007CF41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007D1C10 3_2_007D1C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C8C09 3_2_007C8C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C1A0A 3_2_007C1A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C220A 3_2_007C220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C4C00 3_2_007C4C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007DDEF4 3_2_007DDEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C30F6 3_2_007C30F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007DA8F0 3_2_007DA8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007DAEEB 3_2_007DAEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007DECE3 3_2_007DECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007D0ADE 3_2_007D0ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007DCCD4 3_2_007DCCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007D7ED1 3_2_007D7ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007E08D1 3_2_007E08D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007DBEC9 3_2_007DBEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007D98BD 3_2_007D98BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007D90BA 3_2_007D90BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C5AB2 3_2_007C5AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CDAAE 3_2_007CDAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007D44AA 3_2_007D44AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007D78A5 3_2_007D78A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007DD6A7 3_2_007DD6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CFEA0 3_2_007CFEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007DAC9B 3_2_007DAC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CAC95 3_2_007CAC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007DD091 3_2_007DD091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C3C91 3_2_007C3C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CCC8D 3_2_007CCC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007D4E8A 3_2_007D4E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007D748A 3_2_007D748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007E0687 3_2_007E0687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C7283 3_2_007C7283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007D577E 3_2_007D577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007D1F6B 3_2_007D1F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007D056A 3_2_007D056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C3F5C 3_2_007C3F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CC158 3_2_007CC158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007DF14D 3_2_007DF14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C3345 3_2_007C3345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007E1343 3_2_007E1343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007E0B34 3_2_007E0B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007E292B 3_2_007E292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C6B25 3_2_007C6B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C5923 3_2_007C5923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C251C 3_2_007C251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007DFD10 3_2_007DFD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C2309 3_2_007C2309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C3502 3_2_007C3502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CC5FE 3_2_007CC5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007E03F1 3_2_007E03F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C55E8 3_2_007C55E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007DBFE8 3_2_007DBFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CA3DF 3_2_007CA3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C6FC4 3_2_007C6FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007E25C3 3_2_007E25C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007DB1B5 3_2_007DB1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CBFB6 3_2_007CBFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007D7BB2 3_2_007D7BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007D4BAA 3_2_007D4BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007D9DA1 3_2_007D9DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007D2FA2 3_2_007D2FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007DD99A 3_2_007DD99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007DB397 3_2_007DB397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CFD91 3_2_007CFD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007E1193 3_2_007E1193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007D4D8D 3_2_007D4D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C4F8E 3_2_007C4F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C758F 3_2_007C758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C9384 3_2_007C9384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F1CAA8 4_2_00F1CAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F0441E 4_2_00F0441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F143B3 4_2_00F143B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F1A8F0 4_2_00F1A8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F1DEF4 4_2_00F1DEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F030F6 4_2_00F030F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F1ECE3 4_2_00F1ECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F1AEEB 4_2_00F1AEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F17ED1 4_2_00F17ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F208D1 4_2_00F208D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F1CCD4 4_2_00F1CCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F10ADE 4_2_00F10ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F1BEC9 4_2_00F1BEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F05AB2 4_2_00F05AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F190BA 4_2_00F190BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F198BD 4_2_00F198BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F0FEA0 4_2_00F0FEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F178A5 4_2_00F178A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F1D6A7 4_2_00F1D6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F144AA 4_2_00F144AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F0DAAE 4_2_00F0DAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F1D091 4_2_00F1D091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F03C91 4_2_00F03C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F0AC95 4_2_00F0AC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F1AC9B 4_2_00F1AC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F07283 4_2_00F07283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F20687 4_2_00F20687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F14E8A 4_2_00F14E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F1748A 4_2_00F1748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F0CC8D 4_2_00F0CC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F01C76 4_2_00F01C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F1406E 4_2_00F1406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F02654 4_2_00F02654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F09A57 4_2_00F09A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F1E441 4_2_00F1E441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F02043 4_2_00F02043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F03845 4_2_00F03845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F02A46 4_2_00F02A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F0A048 4_2_00F0A048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F1F83F 4_2_00F1F83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F21A3C 4_2_00F21A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F15220 4_2_00F15220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F09E22 4_2_00F09E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F0D223 4_2_00F0D223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F0EC27 4_2_00F0EC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F11C10 4_2_00F11C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F0E21C 4_2_00F0E21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F0F41F 4_2_00F0F41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F04C00 4_2_00F04C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F08C09 4_2_00F08C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F01A0A 4_2_00F01A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F0220A 4_2_00F0220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F203F1 4_2_00F203F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F0C5FE 4_2_00F0C5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F055E8 4_2_00F055E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F1BFE8 4_2_00F1BFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F0A3DF 4_2_00F0A3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F225C3 4_2_00F225C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F06FC4 4_2_00F06FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F17BB2 4_2_00F17BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F1B1B5 4_2_00F1B1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F0BFB6 4_2_00F0BFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F19DA1 4_2_00F19DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F12FA2 4_2_00F12FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F14BAA 4_2_00F14BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F0FD91 4_2_00F0FD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F21193 4_2_00F21193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F1B397 4_2_00F1B397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F1D99A 4_2_00F1D99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F09384 4_2_00F09384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F14D8D 4_2_00F14D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F04F8E 4_2_00F04F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F0758F 4_2_00F0758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F1577E 4_2_00F1577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F11F6B 4_2_00F11F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F1056A 4_2_00F1056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F0C158 4_2_00F0C158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F03F5C 4_2_00F03F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F21343 4_2_00F21343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F03345 4_2_00F03345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F1F14D 4_2_00F1F14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F20B34 4_2_00F20B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F05923 4_2_00F05923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F06B25 4_2_00F06B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F2292B 4_2_00F2292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F1FD10 4_2_00F1FD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F0251C 4_2_00F0251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F03502 4_2_00F03502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F02309 4_2_00F02309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_011643B3 6_2_011643B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0115441E 6_2_0115441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0116CAA8 6_2_0116CAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0116FD10 6_2_0116FD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0115251C 6_2_0115251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01153502 6_2_01153502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01152309 6_2_01152309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01170B34 6_2_01170B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01156B25 6_2_01156B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01155923 6_2_01155923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0117292B 6_2_0117292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01153F5C 6_2_01153F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0115C158 6_2_0115C158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01153345 6_2_01153345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01171343 6_2_01171343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0116F14D 6_2_0116F14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0116577E 6_2_0116577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0116056A 6_2_0116056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01161F6B 6_2_01161F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0116B397 6_2_0116B397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0115FD91 6_2_0115FD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01171193 6_2_01171193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0116D99A 6_2_0116D99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01159384 6_2_01159384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0115758F 6_2_0115758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01164D8D 6_2_01164D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01154F8E 6_2_01154F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0116B1B5 6_2_0116B1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0115BFB6 6_2_0115BFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01167BB2 6_2_01167BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01162FA2 6_2_01162FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01169DA1 6_2_01169DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01164BAA 6_2_01164BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0115A3DF 6_2_0115A3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01156FC4 6_2_01156FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_011725C3 6_2_011725C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_011703F1 6_2_011703F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0115C5FE 6_2_0115C5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_011555E8 6_2_011555E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0116BFE8 6_2_0116BFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01161C10 6_2_01161C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0115E21C 6_2_0115E21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0115F41F 6_2_0115F41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01154C00 6_2_01154C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01158C09 6_2_01158C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01151A0A 6_2_01151A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0115220A 6_2_0115220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0116F83F 6_2_0116F83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01171A3C 6_2_01171A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0115EC27 6_2_0115EC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01165220 6_2_01165220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0115D223 6_2_0115D223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01159E22 6_2_01159E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01152654 6_2_01152654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01159A57 6_2_01159A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01153845 6_2_01153845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01152A46 6_2_01152A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01152043 6_2_01152043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0116E441 6_2_0116E441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0115A048 6_2_0115A048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01151C76 6_2_01151C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0116406E 6_2_0116406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0115AC95 6_2_0115AC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01153C91 6_2_01153C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0116D091 6_2_0116D091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0116AC9B 6_2_0116AC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01170687 6_2_01170687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01157283 6_2_01157283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0115CC8D 6_2_0115CC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01164E8A 6_2_01164E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0116748A 6_2_0116748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01155AB2 6_2_01155AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_011698BD 6_2_011698BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_011690BA 6_2_011690BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0116D6A7 6_2_0116D6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_011678A5 6_2_011678A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0115FEA0 6_2_0115FEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0115DAAE 6_2_0115DAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_011644AA 6_2_011644AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0116CCD4 6_2_0116CCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_011708D1 6_2_011708D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01167ED1 6_2_01167ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01160ADE 6_2_01160ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0116BEC9 6_2_0116BEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0116DEF4 6_2_0116DEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_011530F6 6_2_011530F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0116A8F0 6_2_0116A8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0116ECE3 6_2_0116ECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0116AEEB 6_2_0116AEEB
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6EDF5BE0 appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6EDF5BE0 appears 46 times
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDE13F0 zwxnlwalmcbgmt, 0_2_6EDE13F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EDE13F0 zwxnlwalmcbgmt, 2_2_6EDE13F0
Sample file is different than original file name gathered from version info
Source: 9fC0as7YLE.dll Binary or memory string: OriginalFilenameErulfuaekg.dll6 vs 9fC0as7YLE.dll
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: 9fC0as7YLE.dll Virustotal: Detection: 19%
Source: 9fC0as7YLE.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\9fC0as7YLE.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\9fC0as7YLE.dll,abziuleoxsborpb
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\9fC0as7YLE.dll,aejkroaebsbxdnkhb
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Dkrmyysnwhbfjv\jwypbohhelrk.uxw",YPRnAEDz
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Dkrmyysnwhbfjv\jwypbohhelrk.uxw",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\9fC0as7YLE.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\9fC0as7YLE.dll,abziuleoxsborpb Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\9fC0as7YLE.dll,aejkroaebsbxdnkhb Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Dkrmyysnwhbfjv\jwypbohhelrk.uxw",YPRnAEDz Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Dkrmyysnwhbfjv\jwypbohhelrk.uxw",Control_RunDLL Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@37/7@0/22
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDF3C90 CoCreateInstance, 0_2_6EDF3C90
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\9fC0as7YLE.dll,Control_RunDLL
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5056:120:WilError_01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDEEBD0 LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary, 0_2_6EDEEBD0
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: 9fC0as7YLE.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: 9fC0as7YLE.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 9fC0as7YLE.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 9fC0as7YLE.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 9fC0as7YLE.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 9fC0as7YLE.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D71229 push eax; retf 0_2_00D7129A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDF5C26 push ecx; ret 0_2_6EDF5C39
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EE18067 push ecx; ret 0_2_6EE1807A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B21229 push eax; retf 2_2_00B2129A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EDF5C26 push ecx; ret 2_2_6EDF5C39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EE18067 push ecx; ret 2_2_6EE1807A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C1229 push eax; retf 3_2_007C129A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F01229 push eax; retf 4_2_00F0129A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_01151229 push eax; retf 6_2_0115129A
PE file contains an invalid checksum
Source: 9fC0as7YLE.dll Static PE information: real checksum: 0x81586 should be: 0x7969b

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Dkrmyysnwhbfjv\jwypbohhelrk.uxw Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Dkrmyysnwhbfjv\jwypbohhelrk.uxw:Zone.Identifier read attributes | delete Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDF7C47 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_6EDF7C47
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006EDE6672 second address: 000000006EDE66A0 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007EFF14D484D1h 0x0000000a mov edi, 0C2869DAh 0x0000000f rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006EDE8A23 second address: 000000006EDE8A36 instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007EFF148A9D6Eh 0x00000007 rdtscp
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 000000006EDE6672 second address: 000000006EDE66A0 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007EFF14D484D1h 0x0000000a mov edi, 0C2869DAh 0x0000000f rdtscp
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 000000006EDE8A23 second address: 000000006EDE8A36 instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007EFF148A9D6Eh 0x00000007 rdtscp
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6680 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6688 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3332 Thread sleep time: -90000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDE6620 rdtscp 0_2_6EDE6620
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EE0D1EE FindFirstFileExA, 0_2_6EE0D1EE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EE0D1EE FindFirstFileExA, 2_2_6EE0D1EE
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000005.00000002.623481208.0000028AF1C29000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW O&
Source: svchost.exe, 00000005.00000002.623838916.0000028AF7261000.00000004.00000001.sdmp Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000005.00000002.623810288.0000028AF724D000.00000004.00000001.sdmp, svchost.exe, 00000024.00000002.682059478.000002626BEF5000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000024.00000002.682032373.000002626BEE2000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWdisplaycatalog.mp.micros
Source: svchost.exe, 00000024.00000002.681948410.000002626BE7A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW@
Source: svchost.exe, 00000007.00000002.773648072.00000263E7E3E000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.773416337.000001C27DE29000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDFED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6EDFED41
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDF849D IsProcessorFeaturePresent,GetProcessHeap,HeapAlloc,InitializeSListHead,GetProcessHeap,HeapFree, 0_2_6EDF849D
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDE6620 rdtscp 0_2_6EDE6620
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D8DE10 mov eax, dword ptr fs:[00000030h] 0_2_00D8DE10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDE6620 mov ecx, dword ptr fs:[00000030h] 0_2_6EDE6620
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDF849D mov esi, dword ptr fs:[00000030h] 0_2_6EDF849D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDE6510 mov eax, dword ptr fs:[00000030h] 0_2_6EDE6510
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDE8A50 mov eax, dword ptr fs:[00000030h] 0_2_6EDE8A50
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EE069AA mov eax, dword ptr fs:[00000030h] 0_2_6EE069AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00B3DE10 mov eax, dword ptr fs:[00000030h] 2_2_00B3DE10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EDE6620 mov ecx, dword ptr fs:[00000030h] 2_2_6EDE6620
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EDF849D mov esi, dword ptr fs:[00000030h] 2_2_6EDF849D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EDE6510 mov eax, dword ptr fs:[00000030h] 2_2_6EDE6510
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EDE8A50 mov eax, dword ptr fs:[00000030h] 2_2_6EDE8A50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EE069AA mov eax, dword ptr fs:[00000030h] 2_2_6EE069AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007DDE10 mov eax, dword ptr fs:[00000030h] 3_2_007DDE10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00F1DE10 mov eax, dword ptr fs:[00000030h] 4_2_00F1DE10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0116DE10 mov eax, dword ptr fs:[00000030h] 6_2_0116DE10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDFED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6EDFED41
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDF5ABD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6EDF5ABD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDF5239 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6EDF5239
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EDFED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6EDFED41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EDF5ABD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6EDF5ABD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EDF5239 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_6EDF5239

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 51.178.61.60 187 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",#1 Jump to behavior
Source: rundll32.exe, 00000012.00000002.775503468.0000000003230000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000012.00000002.775503468.0000000003230000.00000002.00020000.sdmp Binary or memory string: Progman
Source: rundll32.exe, 00000012.00000002.775503468.0000000003230000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: rundll32.exe, 00000012.00000002.775503468.0000000003230000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: rundll32.exe, 00000012.00000002.775503468.0000000003230000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_6EE157AC
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_6EE15F10
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6EE15DE7
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6EE0DD93
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6EE0E2F8
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6EE15A6F
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6EE15A24
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_6EE15B97
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6EE15B0A
Source: C:\Windows\System32\loaddll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_6EE160E4
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6EE16017
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6EE1597B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 2_2_6EE157AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_6EE15F10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6EE15DE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6EE0DD93
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6EE0E2F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6EE15A6F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6EE15A24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 2_2_6EE15B97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6EE15B0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_6EE160E4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6EE16017
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6EE1597B
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDF5916 cpuid 0_2_6EDF5916
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EDF5C3C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_6EDF5C3C

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000011.00000002.773524128.0000027E28F02000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000011.00000002.773477149.0000027E28E51000.00000004.00000001.sdmp Binary or memory string: @\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 6.2.rundll32.exe.db4210.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.e243b8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.5841b0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.115c740.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.9d4738.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.9d4738.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.db4210.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.e243b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.115c740.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.5841b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.33e4348.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.33e4348.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.352594245.0000000000E0A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.773392509.00000000009BA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.377195356.00000000033CA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.310049703.00000000004A5000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.364267803.0000000000D9A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.310032322.000000000056A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.365672207.000000000114A000.00000004.00000020.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 524854 Sample: 9fC0as7YLE Startdate: 19/11/2021 Architecture: WINDOWS Score: 100 46 85.214.67.203 STRATOSTRATOAGDE Germany 2->46 48 195.154.146.35 OnlineSASFR France 2->48 50 17 other IPs or domains 2->50 58 Sigma detected: Emotet RunDLL32 Process Creation 2->58 60 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->60 62 Found malware configuration 2->62 64 3 other signatures 2->64 9 loaddll32.exe 1 2->9         started        12 svchost.exe 2->12         started        14 svchost.exe 9 1 2->14         started        17 9 other processes 2->17 signatures3 process4 dnsIp5 70 Tries to detect virtualization through RDTSC time measurements 9->70 19 rundll32.exe 2 9->19         started        22 cmd.exe 1 9->22         started        24 rundll32.exe 9->24         started        28 2 other processes 9->28 72 Changes security center settings (notifications, updates, antivirus, firewall) 12->72 26 MpCmdRun.exe 12->26         started        54 127.0.0.1 unknown unknown 14->54 56 192.168.2.1 unknown unknown 14->56 signatures6 process7 signatures8 66 Tries to detect virtualization through RDTSC time measurements 19->66 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->68 30 rundll32.exe 19->30         started        32 rundll32.exe 22->32         started        34 rundll32.exe 24->34         started        36 conhost.exe 26->36         started        38 rundll32.exe 28->38         started        process9 process10 40 rundll32.exe 30->40         started        44 rundll32.exe 32->44         started        dnsIp11 52 51.178.61.60, 443, 49767 OVHFR France 40->52 74 System process connects to network (likely due to code injection or exploit) 40->74 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
207.148.81.119
 unknown United States
20473 AS-CHOOPAUS true
196.44.98.190
 unknown Ghana
327814 EcobandGH true
78.46.73.125
 unknown Germany
24940 HETZNER-ASDE true
37.59.209.141
 unknown France
16276 OVHFR true
85.214.67.203
 unknown Germany
6724 STRATOSTRATOAGDE true
191.252.103.16
 unknown Brazil
27715 LocawebServicosdeInternetSABR true
45.79.33.48
 unknown United States
63949 LINODE-APLinodeLLCUS true
54.37.228.122
 unknown France
16276 OVHFR true
185.148.169.10
 unknown Germany
44780 EVERSCALE-ASDE true
142.4.219.173
 unknown Canada
16276 OVHFR true
54.38.242.185
 unknown France
16276 OVHFR true
195.154.146.35
 unknown France
12876 OnlineSASFR true
195.77.239.39
 unknown Spain
60493 FICOSA-ASES true
78.47.204.80
 unknown Germany
24940 HETZNER-ASDE true
168.197.250.14
 unknown Argentina
264776 OmarAnselmoRipollTDCNETAR true
51.178.61.60
 unknown France
16276 OVHFR true
177.72.80.14
 unknown Brazil
262543 NewLifeFibraBR true
66.42.57.149
 unknown United States
20473 AS-CHOOPAUS true
37.44.244.177
 unknown Germany
47583 AS-HOSTINGERLT true
51.210.242.234
 unknown France
16276 OVHFR true

Private
IP
192.168.2.1
127.0.0.1

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://51.178.61.60/PpGHOEhwQiOjTmUx true
  • Avira URL Cloud: safe
 unknown