Windows Analysis Report dUGnMYeP1C

AV Detection:

Found malware configuration

Source: 6.2.rundll32.exe.7b43e8.0.raw.unpack

Malware Configuration Extractor: Emotet {"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Multi AV Scanner detection for submitted file

Source: dUGnMYeP1C.dll	Virustotal: Detection: 19%			Perma Link
Source: dUGnMYeP1C.dll	ReversingLabs: Detection: 22%

Multi AV Scanner detection for domain / URL

Source: https://51.178.61.60/

Virustotal: Detection: 9%

Perma Link

Compliance:

Uses 32bit PE files

Source: dUGnMYeP1C.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.4:49763 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: dUGnMYeP1C.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4DD1EE FindFirstFileExA,		0_2_6E4DD1EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4DD1EE FindFirstFileExA,		2_2_6E4DD1EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E1A80 FindFirstFileW,		14_2_031E1A80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.4:49763 -> 51.178.61.60:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 51.178.61.60 187

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 51.178.61.60:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 45.79.33.48:8080
Source: Malware configuration extractor	IPs: 196.44.98.190:8080
Source: Malware configuration extractor	IPs: 177.72.80.14:7080
Source: Malware configuration extractor	IPs: 51.210.242.234:8080
Source: Malware configuration extractor	IPs: 185.148.169.10:8080
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 195.154.146.35:443

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: EcobandGH EcobandGH

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /InTtBbcviygntftqUxlvTZyNQIlFMYYuphsKApKnjhvMfoEmipIwgU HTTP/1.1Cookie: sbhozJBLsB=GBk0p7+mkeI5rWSXKi9+NkbuDAN7QDaXmyUi/sYe1oQpQspAP+UN+UaybMShDVRbP1B8IvhSKCUHJAYRRtEALN4oFplmYFQ82ingNRD/p7AiYoN6Z4om86TaWhNhyc2E6tH4MfN2LDyXUVu/1idF9te74dCx3ont9eszJJ5RNWPaX46p7K8F+cIzpv+J5OvQCSgHYYgi5GVms5sQuAEbCJ7NsR2cjbUSKQAbd9tLgWFOMQ==Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View	IP Address: 196.44.98.190 196.44.98.190

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60

Found strings which match to known social media urls

Source: svchost.exe, 00000019.00000003.962071156.000001FFDD78F000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 00000019.00000003.962071156.000001FFDD78F000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 00000019.00000003.962101432.000001FFDD7A0000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z||.||2bbf585d-742f-4e5f-bf99-34064e28fbbf||1152921505694183347||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000019.00000003.962101432.000001FFDD7A0000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z||.||2bbf585d-742f-4e5f-bf99-34064e28fbbf||1152921505694183347||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"

URLs found in memory or binary data

Source: rundll32.exe, 0000000E.00000003.836491061.0000000003666000.00000004.00000001.sdmp, svchost.exe, 00000019.00000002.978146496.000001FFDD700000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000019.00000002.978005532.000001FFDD0EF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000019.00000003.958307796.000001FFDD7B0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958232168.000001FFDD76D000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958252571.000001FFDD78F000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: rundll32.exe, 0000000E.00000002.1180973185.000000000361A000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/
Source: rundll32.exe, 0000000E.00000002.1181015282.0000000003648000.00000004.00000001.sdmp	String found in binary or memory: https://51.178.61.60/InTtBbcviygntftqUxlvTZyNQIlFMYYuphsKApKnjhvMfoEmipIwgU
Source: rundll32.exe, 0000000E.00000002.1180973185.000000000361A000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/InTtBbcviygntftqUxlvTZyNQIlFMYYuphsKApKnjhvMfoEmipIwgUC
Source: svchost.exe, 00000019.00000003.958307796.000001FFDD7B0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958232168.000001FFDD76D000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958252571.000001FFDD78F000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000019.00000003.958307796.000001FFDD7B0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958232168.000001FFDD76D000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958252571.000001FFDD78F000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000019.00000003.958307796.000001FFDD7B0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958232168.000001FFDD76D000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958252571.000001FFDD78F000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000019.00000003.959252620.000001FFDD78F000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/
Source: svchost.exe, 00000019.00000003.959264730.000001FFDD7A0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.959252620.000001FFDD78F000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Contains functionality to download additional files from the internet

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_031F1027 InternetReadFile,

14_2_031F1027

Downloads files from webservers via HTTP

Source: global traffic

HTTP traffic detected: GET /InTtBbcviygntftqUxlvTZyNQIlFMYYuphsKApKnjhvMfoEmipIwgU HTTP/1.1Cookie: sbhozJBLsB=GBk0p7+mkeI5rWSXKi9+NkbuDAN7QDaXmyUi/sYe1oQpQspAP+UN+UaybMShDVRbP1B8IvhSKCUHJAYRRtEALN4oFplmYFQ82ingNRD/p7AiYoN6Z4om86TaWhNhyc2E6tH4MfN2LDyXUVu/1idF9te74dCx3ont9eszJJ5RNWPaX46p7K8F+cIzpv+J5OvQCSgHYYgi5GVms5sQuAEbCJ7NsR2cjbUSKQAbd9tLgWFOMQ==Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.4:49763 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: loaddll32.exe, 00000000.00000002.765596973.000000000164B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Contains functionality for read data from the clipboard

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4B5EE0 GetClipboardViewer,GetClipboardViewer,GetSystemDefaultLangID,GetOpenClipboardWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetCurrentThread,GetForegroundWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,AnyPopup,GetUserDefaultUILanguage,GetUserDefaultUILanguage,GetCurrentThread,GetCurrentThread,GetErrorMode,GetErrorMode,GetThreadErrorMode,

0_2_6E4B5EE0

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 6.2.rundll32.exe.7b43e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.9e4140.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.8b4350.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.3264268.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.8b4350.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.7b43e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.3264268.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.35e4730.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.9e4140.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.35e4730.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.728810783.0000000003565000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.777849090.000000000324A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.765628478.000000000166D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.765555837.000000000089A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.726530504.00000000009CA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.753626316.000000000079A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1180916673.00000000035CA000.00000004.00000020.sdmp, type: MEMORY

System Summary:

Uses 32bit PE files

Source: dUGnMYeP1C.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Syakyqcviop\airusfmukngvit.rau:Zone.Identifier

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Syakyqcviop\

Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F43B3		0_2_013F43B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FCAA8		0_2_013FCAA8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01401343		0_2_01401343
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E6B25		0_2_013E6B25
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E5923		0_2_013E5923
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E251C		0_2_013E251C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FFD10		0_2_013FFD10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E2309		0_2_013E2309
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E3502		0_2_013E3502
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F577E		0_2_013F577E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F1F6B		0_2_013F1F6B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F056A		0_2_013F056A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E3F5C		0_2_013E3F5C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013EC158		0_2_013EC158
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0140292B		0_2_0140292B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FF14D		0_2_013FF14D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01400B34		0_2_01400B34
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E3345		0_2_013E3345
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_014025C3		0_2_014025C3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013EBFB6		0_2_013EBFB6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FB1B5		0_2_013FB1B5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F7BB2		0_2_013F7BB2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F4BAA		0_2_013F4BAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F2FA2		0_2_013F2FA2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F9DA1		0_2_013F9DA1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FD99A		0_2_013FD99A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FB397		0_2_013FB397
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013EFD91		0_2_013EFD91
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E4F8E		0_2_013E4F8E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E758F		0_2_013E758F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_014003F1		0_2_014003F1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F4D8D		0_2_013F4D8D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E9384		0_2_013E9384
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013EC5FE		0_2_013EC5FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01401193		0_2_01401193
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E55E8		0_2_013E55E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FBFE8		0_2_013FBFE8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013EA3DF		0_2_013EA3DF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E6FC4		0_2_013E6FC4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FF83F		0_2_013FF83F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013EEC27		0_2_013EEC27
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E9E22		0_2_013E9E22
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013ED223		0_2_013ED223
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F5220		0_2_013F5220
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E441E		0_2_013E441E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013EF41F		0_2_013EF41F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013EE21C		0_2_013EE21C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F1C10		0_2_013F1C10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E1A0A		0_2_013E1A0A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E220A		0_2_013E220A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E8C09		0_2_013E8C09
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E4C00		0_2_013E4C00
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E1C76		0_2_013E1C76
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F406E		0_2_013F406E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E9A57		0_2_013E9A57
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E2654		0_2_013E2654
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013EA048		0_2_013EA048
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E2A46		0_2_013E2A46
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E3845		0_2_013E3845
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01401A3C		0_2_01401A3C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E2043		0_2_013E2043
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FE441		0_2_013FE441
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F98BD		0_2_013F98BD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F90BA		0_2_013F90BA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E5AB2		0_2_013E5AB2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013EDAAE		0_2_013EDAAE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_014008D1		0_2_014008D1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F44AA		0_2_013F44AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FD6A7		0_2_013FD6A7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F78A5		0_2_013F78A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013EFEA0		0_2_013EFEA0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FAC9B		0_2_013FAC9B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013EAC95		0_2_013EAC95
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FD091		0_2_013FD091
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E3C91		0_2_013E3C91
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013ECC8D		0_2_013ECC8D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F4E8A		0_2_013F4E8A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F748A		0_2_013F748A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E7283		0_2_013E7283
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01400687		0_2_01400687
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E30F6		0_2_013E30F6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FDEF4		0_2_013FDEF4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FA8F0		0_2_013FA8F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FAEEB		0_2_013FAEEB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FECE3		0_2_013FECE3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F0ADE		0_2_013F0ADE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FCCD4		0_2_013FCCD4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F7ED1		0_2_013F7ED1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FBEC9		0_2_013FBEC9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4B6620		0_2_6E4B6620
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4B5730		0_2_6E4B5730
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4B5EE0		0_2_6E4B5EE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4DC6FE		0_2_6E4DC6FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4BF700		0_2_6E4BF700
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4D3780		0_2_6E4D3780
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4CDC5D		0_2_6E4CDC5D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4C1CD0		0_2_6E4C1CD0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4CDA2D		0_2_6E4CDA2D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4B2A80		0_2_6E4B2A80
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4CA29D		0_2_6E4CA29D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4E3074		0_2_6E4E3074
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4E1929		0_2_6E4E1929
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4B6620		2_2_6E4B6620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4B5730		2_2_6E4B5730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4B5EE0		2_2_6E4B5EE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4DC6FE		2_2_6E4DC6FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4BF700		2_2_6E4BF700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4D3780		2_2_6E4D3780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4CDC5D		2_2_6E4CDC5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4C1CD0		2_2_6E4C1CD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4CDA2D		2_2_6E4CDA2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4B2A80		2_2_6E4B2A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4CA29D		2_2_6E4CA29D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4E3074		2_2_6E4E3074
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4E1929		2_2_6E4E1929
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFCAA8		3_2_00EFCAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE441E		3_2_00EE441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF43B3		3_2_00EF43B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFAEEB		3_2_00EFAEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFECE3		3_2_00EFECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE30F6		3_2_00EE30F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFDEF4		3_2_00EFDEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFA8F0		3_2_00EFA8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00F008D1		3_2_00F008D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFBEC9		3_2_00EFBEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF0ADE		3_2_00EF0ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFCCD4		3_2_00EFCCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF7ED1		3_2_00EF7ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EEDAAE		3_2_00EEDAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF44AA		3_2_00EF44AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFD6A7		3_2_00EFD6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF78A5		3_2_00EF78A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EEFEA0		3_2_00EEFEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF98BD		3_2_00EF98BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF90BA		3_2_00EF90BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE5AB2		3_2_00EE5AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EECC8D		3_2_00EECC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF4E8A		3_2_00EF4E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF748A		3_2_00EF748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE7283		3_2_00EE7283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFAC9B		3_2_00EFAC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00F00687		3_2_00F00687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EEAC95		3_2_00EEAC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFD091		3_2_00EFD091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE3C91		3_2_00EE3C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF406E		3_2_00EF406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE1C76		3_2_00EE1C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EEA048		3_2_00EEA048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE2A46		3_2_00EE2A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE3845		3_2_00EE3845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE2043		3_2_00EE2043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFE441		3_2_00EFE441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE9A57		3_2_00EE9A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE2654		3_2_00EE2654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EEEC27		3_2_00EEEC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE9E22		3_2_00EE9E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00F01A3C		3_2_00F01A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EED223		3_2_00EED223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF5220		3_2_00EF5220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFF83F		3_2_00EFF83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE1A0A		3_2_00EE1A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE220A		3_2_00EE220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE8C09		3_2_00EE8C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE4C00		3_2_00EE4C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EEF41F		3_2_00EEF41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EEE21C		3_2_00EEE21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF1C10		3_2_00EF1C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00F003F1		3_2_00F003F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE55E8		3_2_00EE55E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFBFE8		3_2_00EFBFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EEC5FE		3_2_00EEC5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE6FC4		3_2_00EE6FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EEA3DF		3_2_00EEA3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00F025C3		3_2_00F025C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF4BAA		3_2_00EF4BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF2FA2		3_2_00EF2FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF9DA1		3_2_00EF9DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EEBFB6		3_2_00EEBFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFB1B5		3_2_00EFB1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF7BB2		3_2_00EF7BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE4F8E		3_2_00EE4F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE758F		3_2_00EE758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF4D8D		3_2_00EF4D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00F01193		3_2_00F01193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE9384		3_2_00EE9384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFD99A		3_2_00EFD99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFB397		3_2_00EFB397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EEFD91		3_2_00EEFD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF1F6B		3_2_00EF1F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF056A		3_2_00EF056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF577E		3_2_00EF577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFF14D		3_2_00EFF14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE3345		3_2_00EE3345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE3F5C		3_2_00EE3F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00F01343		3_2_00F01343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EEC158		3_2_00EEC158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00F00B34		3_2_00F00B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE6B25		3_2_00EE6B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE5923		3_2_00EE5923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00F0292B		3_2_00F0292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE2309		3_2_00EE2309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE3502		3_2_00EE3502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE251C		3_2_00EE251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFFD10		3_2_00EFFD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092CAA8		6_2_0092CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091441E		6_2_0091441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_009243B3		6_2_009243B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00913C91		6_2_00913C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092D091		6_2_0092D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091AC95		6_2_0091AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092AC9B		6_2_0092AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00917283		6_2_00917283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00930687		6_2_00930687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00924E8A		6_2_00924E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092748A		6_2_0092748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091CC8D		6_2_0091CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00915AB2		6_2_00915AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_009290BA		6_2_009290BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_009298BD		6_2_009298BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091FEA0		6_2_0091FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092D6A7		6_2_0092D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_009278A5		6_2_009278A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_009244AA		6_2_009244AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091DAAE		6_2_0091DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_009308D1		6_2_009308D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00927ED1		6_2_00927ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092CCD4		6_2_0092CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00920ADE		6_2_00920ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092BEC9		6_2_0092BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092A8F0		6_2_0092A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092DEF4		6_2_0092DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_009130F6		6_2_009130F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092ECE3		6_2_0092ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092AEEB		6_2_0092AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00921C10		6_2_00921C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091E21C		6_2_0091E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091F41F		6_2_0091F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00914C00		6_2_00914C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00918C09		6_2_00918C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00911A0A		6_2_00911A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091220A		6_2_0091220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092F83F		6_2_0092F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00931A3C		6_2_00931A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00925220		6_2_00925220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091D223		6_2_0091D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00919E22		6_2_00919E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091EC27		6_2_0091EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00912654		6_2_00912654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00919A57		6_2_00919A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00912043		6_2_00912043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092E441		6_2_0092E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00913845		6_2_00913845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00912A46		6_2_00912A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091A048		6_2_0091A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00911C76		6_2_00911C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092406E		6_2_0092406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091FD91		6_2_0091FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00931193		6_2_00931193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092B397		6_2_0092B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092D99A		6_2_0092D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00919384		6_2_00919384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091758F		6_2_0091758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00924D8D		6_2_00924D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00914F8E		6_2_00914F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00927BB2		6_2_00927BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092B1B5		6_2_0092B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091BFB6		6_2_0091BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00922FA2		6_2_00922FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00929DA1		6_2_00929DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00924BAA		6_2_00924BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091A3DF		6_2_0091A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_009325C3		6_2_009325C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00916FC4		6_2_00916FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_009303F1		6_2_009303F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091C5FE		6_2_0091C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_009155E8		6_2_009155E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092BFE8		6_2_0092BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092FD10		6_2_0092FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091251C		6_2_0091251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00913502		6_2_00913502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00912309		6_2_00912309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00930B34		6_2_00930B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00915923		6_2_00915923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00916B25		6_2_00916B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0093292B		6_2_0093292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091C158		6_2_0091C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00913F5C		6_2_00913F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00931343		6_2_00931343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00913345		6_2_00913345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092F14D		6_2_0092F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092577E		6_2_0092577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092056A		6_2_0092056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00921F6B		6_2_00921F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9CAA8		9_2_00F9CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8441E		9_2_00F8441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F943B3		9_2_00F943B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9A8F0		9_2_00F9A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9DEF4		9_2_00F9DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F830F6		9_2_00F830F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9AEEB		9_2_00F9AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9ECE3		9_2_00F9ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F90ADE		9_2_00F90ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F97ED1		9_2_00F97ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00FA08D1		9_2_00FA08D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9CCD4		9_2_00F9CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9BEC9		9_2_00F9BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F990BA		9_2_00F990BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F998BD		9_2_00F998BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F85AB2		9_2_00F85AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F944AA		9_2_00F944AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8DAAE		9_2_00F8DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8FEA0		9_2_00F8FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F978A5		9_2_00F978A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9D6A7		9_2_00F9D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9AC9B		9_2_00F9AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9D091		9_2_00F9D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F83C91		9_2_00F83C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8AC95		9_2_00F8AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F94E8A		9_2_00F94E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9748A		9_2_00F9748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8CC8D		9_2_00F8CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F87283		9_2_00F87283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00FA0687		9_2_00FA0687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F81C76		9_2_00F81C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9406E		9_2_00F9406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F82654		9_2_00F82654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F89A57		9_2_00F89A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8A048		9_2_00F8A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9E441		9_2_00F9E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F82043		9_2_00F82043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F83845		9_2_00F83845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F82A46		9_2_00F82A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9F83F		9_2_00F9F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00FA1A3C		9_2_00FA1A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F95220		9_2_00F95220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F89E22		9_2_00F89E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8D223		9_2_00F8D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8EC27		9_2_00F8EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8E21C		9_2_00F8E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8F41F		9_2_00F8F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F91C10		9_2_00F91C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F88C09		9_2_00F88C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F81A0A		9_2_00F81A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8220A		9_2_00F8220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F84C00		9_2_00F84C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8C5FE		9_2_00F8C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00FA03F1		9_2_00FA03F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F855E8		9_2_00F855E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9BFE8		9_2_00F9BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8A3DF		9_2_00F8A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00FA25C3		9_2_00FA25C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F86FC4		9_2_00F86FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F97BB2		9_2_00F97BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9B1B5		9_2_00F9B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8BFB6		9_2_00F8BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F94BAA		9_2_00F94BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F99DA1		9_2_00F99DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F92FA2		9_2_00F92FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9D99A		9_2_00F9D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8FD91		9_2_00F8FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00FA1193		9_2_00FA1193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9B397		9_2_00F9B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F94D8D		9_2_00F94D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F84F8E		9_2_00F84F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8758F		9_2_00F8758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F89384		9_2_00F89384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9577E		9_2_00F9577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F91F6B		9_2_00F91F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9056A		9_2_00F9056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8C158		9_2_00F8C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F83F5C		9_2_00F83F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9F14D		9_2_00F9F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00FA1343		9_2_00FA1343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F83345		9_2_00F83345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00FA0B34		9_2_00FA0B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00FA292B		9_2_00FA292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F85923		9_2_00F85923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F86B25		9_2_00F86B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8251C		9_2_00F8251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9FD10		9_2_00F9FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F82309		9_2_00F82309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F83502		9_2_00F83502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031F0B34		14_2_031F0B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E577E		14_2_031E577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D758F		14_2_031D758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D9384		14_2_031D9384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E4BAA		14_2_031E4BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E2FA2		14_2_031E2FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031DC5FE		14_2_031DC5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D55E8		14_2_031D55E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D441E		14_2_031D441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D220A		14_2_031D220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031EF83F		14_2_031EF83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031DEC27		14_2_031DEC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E5220		14_2_031E5220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D3845		14_2_031D3845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D2043		14_2_031D2043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031DAC95		14_2_031DAC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E748A		14_2_031E748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D5AB2		14_2_031D5AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E44AA		14_2_031E44AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E78A5		14_2_031E78A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031F08D1		14_2_031F08D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E7ED1		14_2_031E7ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031EDEF4		14_2_031EDEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D30F6		14_2_031D30F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031EECE3		14_2_031EECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D251C		14_2_031D251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031EFD10		14_2_031EFD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D2309		14_2_031D2309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D3502		14_2_031D3502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031F292B		14_2_031F292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D6B25		14_2_031D6B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D5923		14_2_031D5923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D3F5C		14_2_031D3F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031DC158		14_2_031DC158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031EF14D		14_2_031EF14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D3345		14_2_031D3345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031F1343		14_2_031F1343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E056A		14_2_031E056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E1F6B		14_2_031E1F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031ED99A		14_2_031ED99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031EB397		14_2_031EB397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031DFD91		14_2_031DFD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031F1193		14_2_031F1193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E4D8D		14_2_031E4D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D4F8E		14_2_031D4F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031EB1B5		14_2_031EB1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031DBFB6		14_2_031DBFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E7BB2		14_2_031E7BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E43B3		14_2_031E43B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E9DA1		14_2_031E9DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031DA3DF		14_2_031DA3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D6FC4		14_2_031D6FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031F25C3		14_2_031F25C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031F03F1		14_2_031F03F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031EBFE8		14_2_031EBFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031DE21C		14_2_031DE21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031DF41F		14_2_031DF41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E1C10		14_2_031E1C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D8C09		14_2_031D8C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D1A0A		14_2_031D1A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D4C00		14_2_031D4C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031F1A3C		14_2_031F1A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031DD223		14_2_031DD223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D9E22		14_2_031D9E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D2654		14_2_031D2654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D9A57		14_2_031D9A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031DA048		14_2_031DA048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D2A46		14_2_031D2A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031EE441		14_2_031EE441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D1C76		14_2_031D1C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E406E		14_2_031E406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031EAC9B		14_2_031EAC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D3C91		14_2_031D3C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031ED091		14_2_031ED091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031DCC8D		14_2_031DCC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E4E8A		14_2_031E4E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031F0687		14_2_031F0687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D7283		14_2_031D7283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E98BD		14_2_031E98BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E90BA		14_2_031E90BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031DDAAE		14_2_031DDAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031ECAA8		14_2_031ECAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031ED6A7		14_2_031ED6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031DFEA0		14_2_031DFEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E0ADE		14_2_031E0ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031ECCD4		14_2_031ECCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031EBEC9		14_2_031EBEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031EA8F0		14_2_031EA8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031EAEEB		14_2_031EAEEB

Found potential string decryption / allocating functions

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6E4C5BE0 appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E4C5BE0 appears 46 times

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4B13F0 zwxnlwalmcbgmt,		0_2_6E4B13F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4B13F0 zwxnlwalmcbgmt,		2_2_6E4B13F0

Sample file is different than original file name gathered from version info

Source: dUGnMYeP1C.dll

Binary or memory string: OriginalFilenameErulfuaekg.dll6 vs dUGnMYeP1C.dll

Sample is known by Antivirus

Source: dUGnMYeP1C.dll	Virustotal: Detection: 19%
Source: dUGnMYeP1C.dll	ReversingLabs: Detection: 22%

PE file has an executable .text section and no other executable section

Source: dUGnMYeP1C.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,abziuleoxsborpb
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,aejkroaebsbxdnkhb
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Syakyqcviop\airusfmukngvit.rau",grPefdKmoEDD
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Syakyqcviop\airusfmukngvit.rau",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,Control_RunDLL			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,abziuleoxsborpb			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,aejkroaebsbxdnkhb			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",#1			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Syakyqcviop\airusfmukngvit.rau",grPefdKmoEDD			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Syakyqcviop\airusfmukngvit.rau",Control_RunDLL			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winDLL@27/0@0/20

Contains functionality to instantiate COM classes

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4BBC70 SHGetFolderPathW,CoCreateInstance,

0_2_6E4BBC70

Reads ini files

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Contains functionality to enum processes or threads

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_031E1B54 CreateToolhelp32Snapshot,

14_2_031E1B54

Runs a DLL by calling functions

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,Control_RunDLL

Contains functionality to load and extract PE file embedded resources

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4BEBD0 LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

0_2_6E4BEBD0

Reads the hosts file

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: dUGnMYeP1C.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

PE file contains a valid data directory to section mapping

Source: dUGnMYeP1C.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: dUGnMYeP1C.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: dUGnMYeP1C.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: dUGnMYeP1C.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: dUGnMYeP1C.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E1229 push eax; retf		0_2_013E129A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4C5C26 push ecx; ret		0_2_6E4C5C39
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4E8067 push ecx; ret		0_2_6E4E807A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4C5C26 push ecx; ret		2_2_6E4C5C39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4E8067 push ecx; ret		2_2_6E4E807A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE1229 push eax; retf		3_2_00EE129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00911229 push eax; retf		6_2_0091129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F81229 push eax; retf		9_2_00F8129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D1229 push eax; retf		14_2_031D129A

PE file contains an invalid checksum

Source: dUGnMYeP1C.dll

Static PE information: real checksum: 0x81586 should be: 0x82f94

Persistence and Installation Behavior:

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Syakyqcviop\airusfmukngvit.rau

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Syakyqcviop\airusfmukngvit.rau:Zone.Identifier read attributes | delete

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006E4B6672 second address: 000000006E4B66A0 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007F75F4AB0AF1h 0x0000000a mov edi, 0C2869DAh 0x0000000f rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006E4B8A23 second address: 000000006E4B8A36 instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007F75F4D5ACBEh 0x00000007 rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006E4B6672 second address: 000000006E4B66A0 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007F75F4AB0AF1h 0x0000000a mov edi, 0C2869DAh 0x0000000f rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006E4B8A23 second address: 000000006E4B8A36 instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007F75F4D5ACBEh 0x00000007 rdtscp

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 5036

Thread sleep time: -180000s >= -30000s

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4B6620 rdtscp

0_2_6E4B6620

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4DD1EE FindFirstFileExA,		0_2_6E4DD1EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4DD1EE FindFirstFileExA,		2_2_6E4DD1EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E1A80 FindFirstFileW,		14_2_031E1A80

Checks the free space of harddrives

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: rundll32.exe, 0000000E.00000002.1181015282.0000000003648000.00000004.00000001.sdmp, svchost.exe, 00000019.00000002.977901726.000001FFDD0A7000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000002.00000003.713312417.00000000035AD000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000019.00000002.977772992.000001FFDD058000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWp94

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4CED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6E4CED41

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4C846D GetProcessHeap,HeapFree,InterlockedPushEntrySList,

0_2_6E4C846D

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4B6620 rdtscp

0_2_6E4B6620

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FDE10 mov eax, dword ptr fs:[00000030h]		0_2_013FDE10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4B6620 mov ecx, dword ptr fs:[00000030h]		0_2_6E4B6620
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4C849D mov esi, dword ptr fs:[00000030h]		0_2_6E4C849D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4B6510 mov eax, dword ptr fs:[00000030h]		0_2_6E4B6510
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4B8A50 mov eax, dword ptr fs:[00000030h]		0_2_6E4B8A50
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4D69AA mov eax, dword ptr fs:[00000030h]		0_2_6E4D69AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4B6620 mov ecx, dword ptr fs:[00000030h]		2_2_6E4B6620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4C849D mov esi, dword ptr fs:[00000030h]		2_2_6E4C849D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4B6510 mov eax, dword ptr fs:[00000030h]		2_2_6E4B6510
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4B8A50 mov eax, dword ptr fs:[00000030h]		2_2_6E4B8A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4D69AA mov eax, dword ptr fs:[00000030h]		2_2_6E4D69AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFDE10 mov eax, dword ptr fs:[00000030h]		3_2_00EFDE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092DE10 mov eax, dword ptr fs:[00000030h]		6_2_0092DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9DE10 mov eax, dword ptr fs:[00000030h]		9_2_00F9DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031EDE10 mov eax, dword ptr fs:[00000030h]		14_2_031EDE10

Contains functionality to register its own exception handler

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4CED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_6E4CED41
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4C5239 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_6E4C5239
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4C5ABD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_6E4C5ABD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4CED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		2_2_6E4CED41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4C5239 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		2_2_6E4C5239
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4C5ABD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		2_2_6E4C5ABD

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 51.178.61.60 187

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",#1

Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: rundll32.exe, 0000000E.00000002.1181270141.0000000003AC0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: rundll32.exe, 0000000E.00000002.1181270141.0000000003AC0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 0000000E.00000002.1181270141.0000000003AC0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 0000000E.00000002.1181270141.0000000003AC0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\rundll32.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		0_2_6E4E5F10
Source: C:\Windows\System32\loaddll32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,		0_2_6E4E57AC
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,		0_2_6E4E5DE7
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,		0_2_6E4DDD93
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,		0_2_6E4E5A6F
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,		0_2_6E4E5A24
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,		0_2_6E4DE2F8
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,		0_2_6E4E5B0A
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,		0_2_6E4E5B97
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,		0_2_6E4E6017
Source: C:\Windows\System32\loaddll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		0_2_6E4E60E4
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,		0_2_6E4E597B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		2_2_6E4E5F10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,		2_2_6E4E57AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		2_2_6E4E5DE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		2_2_6E4DDD93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		2_2_6E4E5A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		2_2_6E4E5A24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		2_2_6E4DE2F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		2_2_6E4E5B0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,		2_2_6E4E5B97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		2_2_6E4E6017
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		2_2_6E4E60E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		2_2_6E4E597B

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4C5916 cpuid

0_2_6E4C5916

Queries the cryptographic machine GUID

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Contains functionality to query local / system time

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4C5C3C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6E4C5C3C

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 6.2.rundll32.exe.7b43e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.9e4140.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.8b4350.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.3264268.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.8b4350.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.7b43e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.3264268.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.35e4730.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.9e4140.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.35e4730.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.728810783.0000000003565000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.777849090.000000000324A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.765628478.000000000166D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.765555837.000000000089A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.726530504.00000000009CA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.753626316.000000000079A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1180916673.00000000035CA000.00000004.00000020.sdmp, type: MEMORY