Windows Analysis Report GQwxmGZFvtg.dll

Overview

General Information

Sample Name: GQwxmGZFvtg.dll
Analysis ID: 525020
MD5: 3ecb8e8c0baaa4acf5ca647a29ad2989
SHA1: 5de0548c74dd501454c949dc13a7a4e37e35aceb
SHA256: 7e4d240abe7a3835a088482d21e8f308c678035513631543e370f0f028a2f40e
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.2.loaddll32.exe.f5c758.0.raw.unpack Malware Configuration Extractor: Emotet {"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}
Multi AV Scanner detection for submitted file
Source: GQwxmGZFvtg.dll Virustotal: Detection: 18% Perma Link
Source: GQwxmGZFvtg.dll ReversingLabs: Detection: 24%

Compliance:

barindex
Uses 32bit PE files
Source: GQwxmGZFvtg.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: unknown HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: GQwxmGZFvtg.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E56D1EE FindFirstFileExA, 2_2_6E56D1EE

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.4:49774 -> 51.178.61.60:443
Source: Traffic Snort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.4:49783 -> 168.197.250.14:80
Source: Traffic Snort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 168.197.250.14:80 -> 192.168.2.4:49783
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 168.197.250.14 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 51.178.61.60 187 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 51.178.61.60:443
Source: Malware configuration extractor IPs: 168.197.250.14:80
Source: Malware configuration extractor IPs: 45.79.33.48:8080
Source: Malware configuration extractor IPs: 196.44.98.190:8080
Source: Malware configuration extractor IPs: 177.72.80.14:7080
Source: Malware configuration extractor IPs: 51.210.242.234:8080
Source: Malware configuration extractor IPs: 185.148.169.10:8080
Source: Malware configuration extractor IPs: 142.4.219.173:8080
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 78.46.73.125:443
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 37.59.209.141:8080
Source: Malware configuration extractor IPs: 191.252.103.16:80
Source: Malware configuration extractor IPs: 54.38.242.185:443
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 54.37.228.122:443
Source: Malware configuration extractor IPs: 207.148.81.119:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 66.42.57.149:443
Source: Malware configuration extractor IPs: 195.154.146.35:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: EcobandGH EcobandGH
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /vIaXhjlEiVCJtvEYurwocvmNMaSkNlb HTTP/1.1Cookie: DGOfLuguTgt=UBN56B3QU+Tc+Xgq31bg3f9Hc8SeJtGwRW8cIQG0AjCXtu7IVNtnsz2CZP6/nHbvDL2M+GXz6pqgLLehfHZd2GGYpuU8uQKdmhGRacOnQW/ucq9cf8VNNBbQNPbhaJyv0XRSuZSYFPtFB7LZ1OorndJDYNrS7ph90Fj+KdcaTImxvaL1Qs5Z6UL4ThHUhcfK77E//BWfq9+pJEy7ddTtLK+8K0+70BY+tADtOTnA6uo2ueeAIbD3B8i85HcUUZx7mjc28/XQaTOUj2m814xjTOmgG7kxOyfQBdcReokKXCbScsmno86poBr9V773eA2kw1LMUwfEHost: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View IP Address: 196.44.98.190 196.44.98.190
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: svchost.exe, 00000016.00000003.994810026.00000188A7590000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 00000016.00000003.994810026.00000188A7590000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 00000016.00000003.994825373.00000188A75A1000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z||.||2bbf585d-742f-4e5f-bf99-34064e28fbbf||1152921505694183347||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000016.00000003.994825373.00000188A75A1000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z||.||2bbf585d-742f-4e5f-bf99-34064e28fbbf||1152921505694183347||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: rundll32.exe, 0000000C.00000003.959543667.0000000003247000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.1010712858.00000188A7500000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: rundll32.exe, 0000000C.00000003.959543667.0000000003247000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.12.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 0000000C.00000003.961336355.0000000005586000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0083cfa262775
Source: svchost.exe, 00000016.00000003.990393710.00000188A7590000.00000004.00000001.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: rundll32.exe, 0000000C.00000003.959543667.0000000003247000.00000004.00000001.sdmp String found in binary or memory: https://168.197.250.14/
Source: rundll32.exe, 0000000C.00000003.959543667.0000000003247000.00000004.00000001.sdmp String found in binary or memory: https://168.197.250.14/GlobalSign
Source: rundll32.exe, 0000000C.00000003.959440225.0000000003231000.00000004.00000001.sdmp String found in binary or memory: https://168.197.250.14/rosoft
Source: rundll32.exe, 0000000C.00000003.959543667.0000000003247000.00000004.00000001.sdmp String found in binary or memory: https://168.197.250.14:80/
Source: rundll32.exe, 0000000C.00000003.959543667.0000000003247000.00000004.00000001.sdmp String found in binary or memory: https://168.197.250.14:80/D
Source: rundll32.exe, 0000000C.00000003.959543667.0000000003247000.00000004.00000001.sdmp String found in binary or memory: https://168.197.250.14:80/OtSInaOjcxTpmnaQwecTWVLWIJIlRyonuNIIpOexeLeibZsTuTWRBEaFrFZGFy
Source: rundll32.exe, 0000000C.00000003.959440225.0000000003231000.00000004.00000001.sdmp String found in binary or memory: https://168.197.250.14:80/OtSInaOjcxTpmnaQwecTWVLWIJIlRyonuNIIpOexeLeibZsTuTWRBEaFrFZGFy-0
Source: rundll32.exe, 0000000C.00000003.959543667.0000000003247000.00000004.00000001.sdmp String found in binary or memory: https://168.197.250.14:80/OtSInaOjcxTpmnaQwecTWVLWIJIlRyonuNIIpOexeLeibZsTuTWRBEaFrFZGFy3
Source: rundll32.exe, 0000000C.00000003.959543667.0000000003247000.00000004.00000001.sdmp String found in binary or memory: https://168.197.250.14:80/OtSInaOjcxTpmnaQwecTWVLWIJIlRyonuNIIpOexeLeibZsTuTWRBEaFrFZGFyKC
Source: rundll32.exe, 0000000C.00000003.959543667.0000000003247000.00000004.00000001.sdmp String found in binary or memory: https://168.197.250.14:80/W4
Source: rundll32.exe, 0000000C.00000003.957741992.0000000003231000.00000004.00000001.sdmp String found in binary or memory: https://51.178.61.60/vIaXhjlEiVCJtvEYurwocvmNMaSkNlb
Source: rundll32.exe, 0000000C.00000003.957741992.0000000003231000.00000004.00000001.sdmp String found in binary or memory: https://51.178.61.60/vIaXhjlEiVCJtvEYurwocvmNMaSkNlb9
Source: svchost.exe, 00000016.00000003.990393710.00000188A7590000.00000004.00000001.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000016.00000003.990393710.00000188A7590000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000016.00000003.990393710.00000188A7590000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000016.00000003.992091612.00000188A7575000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.c
Source: svchost.exe, 00000016.00000003.991938156.00000188A7A02000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: global traffic HTTP traffic detected: GET /vIaXhjlEiVCJtvEYurwocvmNMaSkNlb HTTP/1.1Cookie: DGOfLuguTgt=UBN56B3QU+Tc+Xgq31bg3f9Hc8SeJtGwRW8cIQG0AjCXtu7IVNtnsz2CZP6/nHbvDL2M+GXz6pqgLLehfHZd2GGYpuU8uQKdmhGRacOnQW/ucq9cf8VNNBbQNPbhaJyv0XRSuZSYFPtFB7LZ1OorndJDYNrS7ph90Fj+KdcaTImxvaL1Qs5Z6UL4ThHUhcfK77E//BWfq9+pJEy7ddTtLK+8K0+70BY+tADtOTnA6uo2ueeAIbD3B8i85HcUUZx7mjc28/XQaTOUj2m814xjTOmgG7kxOyfQBdcReokKXCbScsmno86poBr9V773eA2kw1LMUwfEHost: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.4:49774 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E545EE0 GetClipboardViewer,GetClipboardViewer,GetSystemDefaultLangID,GetOpenClipboardWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetCurrentThread,GetForegroundWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,AnyPopup,GetUserDefaultUILanguage,GetUserDefaultUILanguage,GetCurrentThread,GetCurrentThread,GetErrorMode,GetErrorMode,GetThreadErrorMode, 2_2_6E545EE0

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 8.2.rundll32.exe.2bb5280.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2f443a8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4a4148.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.30f42a8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4a4148.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2f443a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2bb5280.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.f5c758.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.31b4780.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.30f42a8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.31b4780.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.f5c758.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.1195922556.000000000319A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.776937820.0000000002C55000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.829087525.0000000002B9A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.792999078.0000000002F2A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.776035801.000000000048A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.795842266.00000000030DA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.796379773.0000000000F4A000.00000004.00000020.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: GQwxmGZFvtg.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Gbdnfdnwgwzcefyt\nlnmlmepgkdbq.udp:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Gbdnfdnwgwzcefyt\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_014643B3 0_2_014643B3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0145441E 0_2_0145441E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0146CAA8 0_2_0146CAA8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01453345 0_2_01453345
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01471343 0_2_01471343
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0146F14D 0_2_0146F14D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01453F5C 0_2_01453F5C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0145C158 0_2_0145C158
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0146056A 0_2_0146056A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01461F6B 0_2_01461F6B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0146577E 0_2_0146577E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01453502 0_2_01453502
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01452309 0_2_01452309
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0146FD10 0_2_0146FD10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0145251C 0_2_0145251C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01456B25 0_2_01456B25
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01455923 0_2_01455923
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0147292B 0_2_0147292B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01470B34 0_2_01470B34
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01456FC4 0_2_01456FC4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_014725C3 0_2_014725C3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0145A3DF 0_2_0145A3DF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_014555E8 0_2_014555E8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0146BFE8 0_2_0146BFE8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_014703F1 0_2_014703F1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0145C5FE 0_2_0145C5FE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01459384 0_2_01459384
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0145758F 0_2_0145758F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01464D8D 0_2_01464D8D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01454F8E 0_2_01454F8E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0146B397 0_2_0146B397
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0145FD91 0_2_0145FD91
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01471193 0_2_01471193
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0146D99A 0_2_0146D99A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01462FA2 0_2_01462FA2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01469DA1 0_2_01469DA1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01464BAA 0_2_01464BAA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0146B1B5 0_2_0146B1B5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0145BFB6 0_2_0145BFB6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01467BB2 0_2_01467BB2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01453845 0_2_01453845
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01452A46 0_2_01452A46
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01452043 0_2_01452043
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0146E441 0_2_0146E441
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0145A048 0_2_0145A048
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01452654 0_2_01452654
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01459A57 0_2_01459A57
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0146406E 0_2_0146406E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01451C76 0_2_01451C76
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01454C00 0_2_01454C00
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01458C09 0_2_01458C09
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01451A0A 0_2_01451A0A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0145220A 0_2_0145220A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01461C10 0_2_01461C10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0145E21C 0_2_0145E21C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0145F41F 0_2_0145F41F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0145EC27 0_2_0145EC27
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01465220 0_2_01465220
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0145D223 0_2_0145D223
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01459E22 0_2_01459E22
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0146F83F 0_2_0146F83F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01471A3C 0_2_01471A3C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0146BEC9 0_2_0146BEC9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0146CCD4 0_2_0146CCD4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_014708D1 0_2_014708D1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01467ED1 0_2_01467ED1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01460ADE 0_2_01460ADE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0146ECE3 0_2_0146ECE3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0146AEEB 0_2_0146AEEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0146DEF4 0_2_0146DEF4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_014530F6 0_2_014530F6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0146A8F0 0_2_0146A8F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01470687 0_2_01470687
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01457283 0_2_01457283
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0145CC8D 0_2_0145CC8D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01464E8A 0_2_01464E8A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0146748A 0_2_0146748A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0145AC95 0_2_0145AC95
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01453C91 0_2_01453C91
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0146D091 0_2_0146D091
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0146AC9B 0_2_0146AC9B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0146D6A7 0_2_0146D6A7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_014678A5 0_2_014678A5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0145FEA0 0_2_0145FEA0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0145DAAE 0_2_0145DAAE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_014644AA 0_2_014644AA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01455AB2 0_2_01455AB2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_014698BD 0_2_014698BD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_014690BA 0_2_014690BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E546620 2_2_6E546620
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E545730 2_2_6E545730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E56C6FE 2_2_6E56C6FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E545EE0 2_2_6E545EE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E54F700 2_2_6E54F700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E563780 2_2_6E563780
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E55DC5D 2_2_6E55DC5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E551CD0 2_2_6E551CD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E55DA2D 2_2_6E55DA2D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E55A29D 2_2_6E55A29D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E542A80 2_2_6E542A80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E573074 2_2_6E573074
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E571929 2_2_6E571929
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0069441E 3_2_0069441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006ACAA8 3_2_006ACAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006A43B3 3_2_006A43B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006A406E 3_2_006A406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00691C76 3_2_00691C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0069A048 3_2_0069A048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00692043 3_2_00692043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006AE441 3_2_006AE441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00693845 3_2_00693845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00692A46 3_2_00692A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00692654 3_2_00692654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00699A57 3_2_00699A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006A5220 3_2_006A5220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0069D223 3_2_0069D223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00699E22 3_2_00699E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0069EC27 3_2_0069EC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006AF83F 3_2_006AF83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006B1A3C 3_2_006B1A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00698C09 3_2_00698C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00691A0A 3_2_00691A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0069220A 3_2_0069220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00694C00 3_2_00694C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0069E21C 3_2_0069E21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0069F41F 3_2_0069F41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006A1C10 3_2_006A1C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006AAEEB 3_2_006AAEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006AECE3 3_2_006AECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006AA8F0 3_2_006AA8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006ADEF4 3_2_006ADEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006930F6 3_2_006930F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006ABEC9 3_2_006ABEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006A0ADE 3_2_006A0ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006B08D1 3_2_006B08D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006A7ED1 3_2_006A7ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006ACCD4 3_2_006ACCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006A44AA 3_2_006A44AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0069DAAE 3_2_0069DAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0069FEA0 3_2_0069FEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006AD6A7 3_2_006AD6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006A78A5 3_2_006A78A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006A90BA 3_2_006A90BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006A98BD 3_2_006A98BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00695AB2 3_2_00695AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006A4E8A 3_2_006A4E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006A748A 3_2_006A748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0069CC8D 3_2_0069CC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00697283 3_2_00697283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006B0687 3_2_006B0687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006AAC9B 3_2_006AAC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00693C91 3_2_00693C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006AD091 3_2_006AD091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0069AC95 3_2_0069AC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006A056A 3_2_006A056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006A1F6B 3_2_006A1F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006A577E 3_2_006A577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006AF14D 3_2_006AF14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006B1343 3_2_006B1343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00693345 3_2_00693345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0069C158 3_2_0069C158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00693F5C 3_2_00693F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006B292B 3_2_006B292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00695923 3_2_00695923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00696B25 3_2_00696B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006B0B34 3_2_006B0B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00692309 3_2_00692309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00693502 3_2_00693502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0069251C 3_2_0069251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006AFD10 3_2_006AFD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006955E8 3_2_006955E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006ABFE8 3_2_006ABFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0069C5FE 3_2_0069C5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006B03F1 3_2_006B03F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006B25C3 3_2_006B25C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00696FC4 3_2_00696FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0069A3DF 3_2_0069A3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006A4BAA 3_2_006A4BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006A2FA2 3_2_006A2FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006A9DA1 3_2_006A9DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006A7BB2 3_2_006A7BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006AB1B5 3_2_006AB1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0069BFB6 3_2_0069BFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0069758F 3_2_0069758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006A4D8D 3_2_006A4D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00694F8E 3_2_00694F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00699384 3_2_00699384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006AD99A 3_2_006AD99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0069FD91 3_2_0069FD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006B1193 3_2_006B1193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006AB397 3_2_006AB397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BBCAA8 4_2_02BBCAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BA441E 4_2_02BA441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BB43B3 4_2_02BB43B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BB90BA 4_2_02BB90BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BB98BD 4_2_02BB98BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BA5AB2 4_2_02BA5AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BB44AA 4_2_02BB44AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BADAAE 4_2_02BADAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BAFEA0 4_2_02BAFEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BBD6A7 4_2_02BBD6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BB78A5 4_2_02BB78A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BBAC9B 4_2_02BBAC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BBD091 4_2_02BBD091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BA3C91 4_2_02BA3C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BAAC95 4_2_02BAAC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BB4E8A 4_2_02BB4E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BB748A 4_2_02BB748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BACC8D 4_2_02BACC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BA7283 4_2_02BA7283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BC0687 4_2_02BC0687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BBA8F0 4_2_02BBA8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BA30F6 4_2_02BA30F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BBDEF4 4_2_02BBDEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BBAEEB 4_2_02BBAEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BBECE3 4_2_02BBECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BB0ADE 4_2_02BB0ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BB7ED1 4_2_02BB7ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BC08D1 4_2_02BC08D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BBCCD4 4_2_02BBCCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BBBEC9 4_2_02BBBEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BC1A3C 4_2_02BC1A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BBF83F 4_2_02BBF83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BA9E22 4_2_02BA9E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BAD223 4_2_02BAD223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BB5220 4_2_02BB5220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BAEC27 4_2_02BAEC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BAF41F 4_2_02BAF41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BAE21C 4_2_02BAE21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BB1C10 4_2_02BB1C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BA1A0A 4_2_02BA1A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BA220A 4_2_02BA220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BA8C09 4_2_02BA8C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BA4C00 4_2_02BA4C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BA1C76 4_2_02BA1C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BB406E 4_2_02BB406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BA9A57 4_2_02BA9A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BA2654 4_2_02BA2654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BAA048 4_2_02BAA048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BA2043 4_2_02BA2043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BBE441 4_2_02BBE441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BA2A46 4_2_02BA2A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BA3845 4_2_02BA3845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BB7BB2 4_2_02BB7BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BABFB6 4_2_02BABFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BBB1B5 4_2_02BBB1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BB4BAA 4_2_02BB4BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BB2FA2 4_2_02BB2FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BB9DA1 4_2_02BB9DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BBD99A 4_2_02BBD99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BAFD91 4_2_02BAFD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BBB397 4_2_02BBB397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BC1193 4_2_02BC1193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BA4F8E 4_2_02BA4F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BA758F 4_2_02BA758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BB4D8D 4_2_02BB4D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BA9384 4_2_02BA9384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BAC5FE 4_2_02BAC5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BC03F1 4_2_02BC03F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BA55E8 4_2_02BA55E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BBBFE8 4_2_02BBBFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BAA3DF 4_2_02BAA3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BA6FC4 4_2_02BA6FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BC25C3 4_2_02BC25C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BC0B34 4_2_02BC0B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BC292B 4_2_02BC292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BA5923 4_2_02BA5923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BA6B25 4_2_02BA6B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BA251C 4_2_02BA251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BBFD10 4_2_02BBFD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BA2309 4_2_02BA2309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BA3502 4_2_02BA3502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BB577E 4_2_02BB577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BB1F6B 4_2_02BB1F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BB056A 4_2_02BB056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BAC158 4_2_02BAC158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BA3F5C 4_2_02BA3F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BBF14D 4_2_02BBF14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BA3345 4_2_02BA3345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BC1343 4_2_02BC1343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032B43B3 5_2_032B43B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032A441E 5_2_032A441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032BCAA8 5_2_032BCAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032C292B 5_2_032C292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032A5923 5_2_032A5923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032A6B25 5_2_032A6B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032C0B34 5_2_032C0B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032A2309 5_2_032A2309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032A3502 5_2_032A3502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032A251C 5_2_032A251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032BFD10 5_2_032BFD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032B1F6B 5_2_032B1F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032B056A 5_2_032B056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032B577E 5_2_032B577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032BF14D 5_2_032BF14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032A3345 5_2_032A3345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032C1343 5_2_032C1343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032AC158 5_2_032AC158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032A3F5C 5_2_032A3F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032B4BAA 5_2_032B4BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032B2FA2 5_2_032B2FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032B9DA1 5_2_032B9DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032B7BB2 5_2_032B7BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032ABFB6 5_2_032ABFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032BB1B5 5_2_032BB1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032A4F8E 5_2_032A4F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032A758F 5_2_032A758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032B4D8D 5_2_032B4D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032A9384 5_2_032A9384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032BD99A 5_2_032BD99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032AFD91 5_2_032AFD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032BB397 5_2_032BB397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032C1193 5_2_032C1193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032A55E8 5_2_032A55E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032BBFE8 5_2_032BBFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032AC5FE 5_2_032AC5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032C03F1 5_2_032C03F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032A6FC4 5_2_032A6FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032C25C3 5_2_032C25C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032AA3DF 5_2_032AA3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032A9E22 5_2_032A9E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032AD223 5_2_032AD223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032B5220 5_2_032B5220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032AEC27 5_2_032AEC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032C1A3C 5_2_032C1A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032BF83F 5_2_032BF83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032A1A0A 5_2_032A1A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032A220A 5_2_032A220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032A8C09 5_2_032A8C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032A4C00 5_2_032A4C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032AF41F 5_2_032AF41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032AE21C 5_2_032AE21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032B1C10 5_2_032B1C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032B406E 5_2_032B406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032A1C76 5_2_032A1C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032AA048 5_2_032AA048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032A2043 5_2_032A2043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032BE441 5_2_032BE441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032A2A46 5_2_032A2A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032A3845 5_2_032A3845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032A9A57 5_2_032A9A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032A2654 5_2_032A2654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032B44AA 5_2_032B44AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032ADAAE 5_2_032ADAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032AFEA0 5_2_032AFEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032BD6A7 5_2_032BD6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032B78A5 5_2_032B78A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032B90BA 5_2_032B90BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032B98BD 5_2_032B98BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032A5AB2 5_2_032A5AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032B4E8A 5_2_032B4E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032B748A 5_2_032B748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032ACC8D 5_2_032ACC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032A7283 5_2_032A7283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032C0687 5_2_032C0687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032BAC9B 5_2_032BAC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032BD091 5_2_032BD091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032A3C91 5_2_032A3C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032AAC95 5_2_032AAC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032BAEEB 5_2_032BAEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032BECE3 5_2_032BECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032BA8F0 5_2_032BA8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032A30F6 5_2_032A30F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032BDEF4 5_2_032BDEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032BBEC9 5_2_032BBEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032B0ADE 5_2_032B0ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032B7ED1 5_2_032B7ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032C08D1 5_2_032C08D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032BCCD4 5_2_032BCCD4
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E555BE0 appears 46 times
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E5413F0 zwxnlwalmcbgmt, 2_2_6E5413F0
Sample file is different than original file name gathered from version info
Source: GQwxmGZFvtg.dll Binary or memory string: OriginalFilenameErulfuaekg.dll6 vs GQwxmGZFvtg.dll
Source: GQwxmGZFvtg.dll Virustotal: Detection: 18%
Source: GQwxmGZFvtg.dll ReversingLabs: Detection: 24%
Source: GQwxmGZFvtg.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\GQwxmGZFvtg.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\GQwxmGZFvtg.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\GQwxmGZFvtg.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\GQwxmGZFvtg.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\GQwxmGZFvtg.dll,abziuleoxsborpb
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\GQwxmGZFvtg.dll,aejkroaebsbxdnkhb
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GQwxmGZFvtg.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gbdnfdnwgwzcefyt\nlnmlmepgkdbq.udp",iHIeY
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GQwxmGZFvtg.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GQwxmGZFvtg.dll",Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GQwxmGZFvtg.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gbdnfdnwgwzcefyt\nlnmlmepgkdbq.udp",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\GQwxmGZFvtg.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\GQwxmGZFvtg.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\GQwxmGZFvtg.dll,abziuleoxsborpb Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\GQwxmGZFvtg.dll,aejkroaebsbxdnkhb Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GQwxmGZFvtg.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\GQwxmGZFvtg.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gbdnfdnwgwzcefyt\nlnmlmepgkdbq.udp",iHIeY Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GQwxmGZFvtg.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GQwxmGZFvtg.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GQwxmGZFvtg.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gbdnfdnwgwzcefyt\nlnmlmepgkdbq.udp",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@27/2@0/20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E54BC70 SHGetFolderPathW,CoCreateInstance, 2_2_6E54BC70
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\GQwxmGZFvtg.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E54EBD0 LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary, 2_2_6E54EBD0
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: GQwxmGZFvtg.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: GQwxmGZFvtg.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: GQwxmGZFvtg.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: GQwxmGZFvtg.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: GQwxmGZFvtg.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: GQwxmGZFvtg.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01451229 push eax; retf 0_2_0145129A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E555C26 push ecx; ret 2_2_6E555C39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E578067 push ecx; ret 2_2_6E57807A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00691229 push eax; retf 3_2_0069129A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BA1229 push eax; retf 4_2_02BA129A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032A1229 push eax; retf 5_2_032A129A
PE file contains an invalid checksum
Source: GQwxmGZFvtg.dll Static PE information: real checksum: 0x81586 should be: 0x843c6

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Gbdnfdnwgwzcefyt\nlnmlmepgkdbq.udp Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Gbdnfdnwgwzcefyt\nlnmlmepgkdbq.udp:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\rundll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006E546672 second address: 000000006E5466A0 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007F9614D3C6B1h 0x0000000a mov edi, 0C2869DAh 0x0000000f rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006E548A23 second address: 000000006E548A36 instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007F9614D3C67Eh 0x00000007 rdtscp
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 000000006E546672 second address: 000000006E5466A0 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007F9614D3C6B1h 0x0000000a mov edi, 0C2869DAh 0x0000000f rdtscp
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 000000006E548A23 second address: 000000006E548A36 instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007F9614D3C67Eh 0x00000007 rdtscp
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 4652 Thread sleep time: -150000s >= -30000s Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E546620 rdtscp 2_2_6E546620
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 5.3 %
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E56D1EE FindFirstFileExA, 2_2_6E56D1EE
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000016.00000002.1010837768.00000188A757F000.00000004.00000001.sdmp Binary or memory string: MS-CV: Y1HDeb3wqEmueGd7.0.2.4.2872910603.0.1.2872910604.0.0
Source: svchost.exe, 00000016.00000003.999424483.00000188A7562000.00000004.00000001.sdmp Binary or memory string: (@Y1HDeb3wqEmueGd7.0.2.
Source: svchost.exe, 00000016.00000002.1010788222.00000188A754E000.00000004.00000001.sdmp Binary or memory string: MS-CV: Y1HDeb3wqEmueGd7.0.2.4
Source: svchost.exe, 00000016.00000002.1010317215.00000188A6C60000.00000004.00000001.sdmp Binary or memory string: MS-DocumentVersions9WZDNCRFHVFW|3736Nodeaks-systempool-37630073-vmss000007RegionneuMS-ServerId86f44b-phr9mX-Content-Type-OptionsnosniffMS-CVY1HDeb3wqEmueGd7.0.2.4.2872910603.0.1.2872910604.0.0MS-RequestId71296fba-5896-449c-906c-b22199a33e43MS-CorrelationId0299f04f-a0f5-4f9a-8e0b-2ed791cc4d1ePersistent-AuthWWW-AuthenticateAuthorizationVarySet-CookieKestrelServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingapplication/json; charset=utf-8Content-TypeContent-LengthAllowWarningViaUpgradechunkedTransfer-EncodingTrailerPragmaKeep-AliveFri, 19 Nov 2021 09:15:31 GMTDateProxy-ConnectioncloseConnectionCache-Controlt.com
Source: rundll32.exe, 0000000C.00000003.957741992.0000000003231000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.1010515085.00000188A6CEC000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000016.00000002.1010317215.00000188A6C60000.00000004.00000001.sdmp Binary or memory string: Y1HDeb3wqEmueGd7.0.2.4.2872910603.0.1.2872910604.0.0
Source: svchost.exe, 00000016.00000002.1010837768.00000188A757F000.00000004.00000001.sdmp Binary or memory string: https://displaycatalog.mp.microsoft.com/v7.0/products/lookup?alternateId=PackageFamilyName&value=Microsoft.BingNews_8wekyb3d8bbwe&market=US&languages=en-US%2Cen%2Cneutral&fieldsTemplate=InstallAgent&moId=Public&oemId=Public&scmId=PublicUserUserWdtP(Y1HDeb3wqEmueGd7.0.2UserUserWdtPUserUserWdtPdtP
Source: svchost.exe, 00000016.00000002.1010423647.00000188A6CA8000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E55ED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6E55ED41
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E55846D GetProcessHeap,HeapFree,InterlockedPushEntrySList, 2_2_6E55846D
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E546620 rdtscp 2_2_6E546620
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0146DE10 mov eax, dword ptr fs:[00000030h] 0_2_0146DE10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E546620 mov ecx, dword ptr fs:[00000030h] 2_2_6E546620
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E55849D mov esi, dword ptr fs:[00000030h] 2_2_6E55849D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E546510 mov eax, dword ptr fs:[00000030h] 2_2_6E546510
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E548A50 mov eax, dword ptr fs:[00000030h] 2_2_6E548A50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E5669AA mov eax, dword ptr fs:[00000030h] 2_2_6E5669AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006ADE10 mov eax, dword ptr fs:[00000030h] 3_2_006ADE10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02BBDE10 mov eax, dword ptr fs:[00000030h] 4_2_02BBDE10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_032BDE10 mov eax, dword ptr fs:[00000030h] 5_2_032BDE10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E55ED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6E55ED41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E555239 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_6E555239
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E555ABD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6E555ABD

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 168.197.250.14 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 51.178.61.60 187 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\GQwxmGZFvtg.dll",#1 Jump to behavior
Source: rundll32.exe, 0000000C.00000002.1196217033.00000000036D0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: rundll32.exe, 0000000C.00000002.1196217033.00000000036D0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 0000000C.00000002.1196217033.00000000036D0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: rundll32.exe, 0000000C.00000002.1196217033.00000000036D0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_6E575F10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 2_2_6E5757AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6E575DE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6E56DD93
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6E575A6F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6E575A24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6E56E2F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6E575B0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 2_2_6E575B97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6E576017
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_6E5760E4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6E57597B
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E555916 cpuid 2_2_6E555916
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E555C3C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 2_2_6E555C3C

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 8.2.rundll32.exe.2bb5280.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2f443a8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4a4148.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.30f42a8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4a4148.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2f443a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2bb5280.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.f5c758.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.31b4780.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.30f42a8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.31b4780.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.f5c758.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.1195922556.000000000319A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.776937820.0000000002C55000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.829087525.0000000002B9A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.792999078.0000000002F2A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.776035801.000000000048A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.795842266.00000000030DA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.796379773.0000000000F4A000.00000004.00000020.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 525020 Sample: GQwxmGZFvtg.dll Startdate: 19/11/2021 Architecture: WINDOWS Score: 100 41 85.214.67.203 STRATOSTRATOAGDE Germany 2->41 43 195.154.146.35 OnlineSASFR France 2->43 45 16 other IPs or domains 2->45 55 Sigma detected: Emotet RunDLL32 Process Creation 2->55 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Found malware configuration 2->59 61 3 other signatures 2->61 9 loaddll32.exe 1 2->9         started        12 svchost.exe 1 2->12         started        14 svchost.exe 1 2->14         started        16 2 other processes 2->16 signatures3 process4 signatures5 65 Tries to detect virtualization through RDTSC time measurements 9->65 18 rundll32.exe 2 9->18         started        21 cmd.exe 1 9->21         started        23 rundll32.exe 9->23         started        25 2 other processes 9->25 process6 signatures7 51 Tries to detect virtualization through RDTSC time measurements 18->51 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->53 27 rundll32.exe 18->27         started        29 rundll32.exe 21->29         started        31 rundll32.exe 23->31         started        33 rundll32.exe 25->33         started        process8 process9 35 rundll32.exe 27->35         started        39 rundll32.exe 29->39         started        dnsIp10 47 168.197.250.14, 49783, 80 OmarAnselmoRipollTDCNETAR Argentina 35->47 49 51.178.61.60, 443, 49774 OVHFR France 35->49 63 System process connects to network (likely due to code injection or exploit) 35->63 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
207.148.81.119
 unknown United States
20473 AS-CHOOPAUS true
196.44.98.190
 unknown Ghana
327814 EcobandGH true
78.46.73.125
 unknown Germany
24940 HETZNER-ASDE true
37.59.209.141
 unknown France
16276 OVHFR true
85.214.67.203
 unknown Germany
6724 STRATOSTRATOAGDE true
191.252.103.16
 unknown Brazil
27715 LocawebServicosdeInternetSABR true
45.79.33.48
 unknown United States
63949 LINODE-APLinodeLLCUS true
54.37.228.122
 unknown France
16276 OVHFR true
185.148.169.10
 unknown Germany
44780 EVERSCALE-ASDE true
142.4.219.173
 unknown Canada
16276 OVHFR true
54.38.242.185
 unknown France
16276 OVHFR true
195.154.146.35
 unknown France
12876 OnlineSASFR true
195.77.239.39
 unknown Spain
60493 FICOSA-ASES true
78.47.204.80
 unknown Germany
24940 HETZNER-ASDE true
168.197.250.14
 unknown Argentina
264776 OmarAnselmoRipollTDCNETAR true
51.178.61.60
 unknown France
16276 OVHFR true
177.72.80.14
 unknown Brazil
262543 NewLifeFibraBR true
66.42.57.149
 unknown United States
20473 AS-CHOOPAUS true
37.44.244.177
 unknown Germany
47583 AS-HOSTINGERLT true
51.210.242.234
 unknown France
16276 OVHFR true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://51.178.61.60/vIaXhjlEiVCJtvEYurwocvmNMaSkNlb true
  • Avira URL Cloud: safe
 unknown