Loading ...

Play interactive tourEdit tour

Windows Analysis Report tUJXpPwU27

Overview

General Information

Sample Name:tUJXpPwU27 (renamed file extension from none to dll)
Analysis ID:528351
MD5:15239e7be7ce6bfaf0681eb66bcde356
SHA1:55dc2a27f408bf6437224ecfc62cc01a3311ec08
SHA256:79036368e6229fa1c4eb724a34e4d10973feaa85628058f4ac1eaac6c1fcf19c
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Emotet
Sigma detected: Emotet RunDLL32 Process Creation
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6984 cmdline: loaddll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 6996 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 7016 cmdline: rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6044 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7004 cmdline: rundll32.exe C:\Users\user\Desktop\tUJXpPwU27.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6696 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cilqlpbnkp\gwjznuxweg.czu",ligDrVSARhbsLaD MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 5904 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Cilqlpbnkp\gwjznuxweg.czu",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7068 cmdline: rundll32.exe C:\Users\user\Desktop\tUJXpPwU27.dll,aocchppr MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 4972 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7088 cmdline: rundll32.exe C:\Users\user\Desktop\tUJXpPwU27.dll,atibsyaucowikobny MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 4664 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7128 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 6336 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6424 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5252 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1000235837.000000000099C000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000003.00000002.977580541.0000000002CEA000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000002.00000002.997848622.0000000002E95000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000004.00000002.997168710.00000000006AA000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000008.00000002.1134773374.0000000000A6A000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.rundll32.exe.a85f00.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              4.2.rundll32.exe.6c4390.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                5.2.rundll32.exe.8b4350.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  4.2.rundll32.exe.6c4390.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    5.2.rundll32.exe.8b4350.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Emotet RunDLL32 Process CreationShow sources
                      Source: Process startedAuthor: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Cilqlpbnkp\gwjznuxweg.czu",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Cilqlpbnkp\gwjznuxweg.czu",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cilqlpbnkp\gwjznuxweg.czu",ligDrVSARhbsLaD, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 6696, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Cilqlpbnkp\gwjznuxweg.czu",Control_RunDLL, ProcessId: 5904

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 3.2.rundll32.exe.2d042a8.1.raw.unpackMalware Configuration Extractor: Emotet {"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: tUJXpPwU27.dllVirustotal: Detection: 41%Perma Link
                      Source: tUJXpPwU27.dllReversingLabs: Detection: 48%
                      Source: tUJXpPwU27.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: tUJXpPwU27.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7FC8C1 FindFirstFileExA,0_2_6E7FC8C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7FC8C1 FindFirstFileExA,2_2_6E7FC8C1

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 51.178.61.60:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 45.79.33.48:8080
                      Source: Malware configuration extractorIPs: 196.44.98.190:8080
                      Source: Malware configuration extractorIPs: 177.72.80.14:7080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.169.10:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: EcobandGH EcobandGH
                      Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 196.44.98.190 196.44.98.190
                      Source: Joe Sandbox ViewIP Address: 78.46.73.125 78.46.73.125

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 8.2.rundll32.exe.a85f00.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6c4390.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.8b4350.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6c4390.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.8b4350.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2d042a8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2d042a8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.a85f00.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1000235837.000000000099C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.977580541.0000000002CEA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.997848622.0000000002E95000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.997168710.00000000006AA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1134773374.0000000000A6A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.998474628.000000000089A000.00000004.00000020.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: tUJXpPwU27.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Cilqlpbnkp\gwjznuxweg.czu:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Cilqlpbnkp\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7D64300_2_6E7D6430
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7D55800_2_6E7D5580
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7F2E500_2_6E7F2E50
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E800FF90_2_6E800FF9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7E9F890_2_6E7E9F89
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7E9CDF0_2_6E7E9CDF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7DED300_2_6E7DED30
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7FBDD10_2_6E7FBDD1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7D28D00_2_6E7D28D0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7E98C00_2_6E7E98C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7E996D0_2_6E7E996D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E8027440_2_6E802744
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7EA50B0_2_6E7EA50B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7EA2500_2_6E7EA250
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7ED32D0_2_6E7ED32D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7E73070_2_6E7E7307
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7E13000_2_6E7E1300
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7ED0FD0_2_6E7ED0FD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7D64302_2_6E7D6430
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7D55802_2_6E7D5580
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7F2E502_2_6E7F2E50
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E800FF92_2_6E800FF9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7E9F892_2_6E7E9F89
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7E9CDF2_2_6E7E9CDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7DED302_2_6E7DED30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7FBDD12_2_6E7FBDD1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7D28D02_2_6E7D28D0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7E98C02_2_6E7E98C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7E996D2_2_6E7E996D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E8027442_2_6E802744
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7EA50B2_2_6E7EA50B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7EA2502_2_6E7EA250
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7ED32D2_2_6E7ED32D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7E73072_2_6E7E7307
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7E13002_2_6E7E1300
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7ED0FD2_2_6E7ED0FD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B441E3_2_007B441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CCAA83_2_007CCAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C43B33_2_007C43B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B1C763_2_007B1C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C406E3_2_007C406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B9A573_2_007B9A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B26543_2_007B2654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007BA0483_2_007BA048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B20433_2_007B2043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B2A463_2_007B2A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CE4413_2_007CE441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B38453_2_007B3845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D1A3C3_2_007D1A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CF83F3_2_007CF83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007BD2233_2_007BD223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B9E223_2_007B9E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C52203_2_007C5220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007BEC273_2_007BEC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007BF41F3_2_007BF41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007BE21C3_2_007BE21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C1C103_2_007C1C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B1A0A3_2_007B1A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B220A3_2_007B220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B8C093_2_007B8C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B4C003_2_007B4C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CDEF43_2_007CDEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CA8F03_2_007CA8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B30F63_2_007B30F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CAEEB3_2_007CAEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CECE33_2_007CECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C0ADE3_2_007C0ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CCCD43_2_007CCCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D08D13_2_007D08D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C7ED13_2_007C7ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CBEC93_2_007CBEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C98BD3_2_007C98BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C90BA3_2_007C90BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B5AB23_2_007B5AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007BDAAE3_2_007BDAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C44AA3_2_007C44AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C78A53_2_007C78A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007BFEA03_2_007BFEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CD6A73_2_007CD6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CAC9B3_2_007CAC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B3C913_2_007B3C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CD0913_2_007CD091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007BAC953_2_007BAC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C4E8A3_2_007C4E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C748A3_2_007C748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007BCC8D3_2_007BCC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B72833_2_007B7283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D06873_2_007D0687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C577E3_2_007C577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C056A3_2_007C056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C1F6B3_2_007C1F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007BC1583_2_007BC158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B3F5C3_2_007B3F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CF14D3_2_007CF14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B33453_2_007B3345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D13433_2_007D1343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D0B343_2_007D0B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D292B3_2_007D292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B59233_2_007B5923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B6B253_2_007B6B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B251C3_2_007B251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CFD103_2_007CFD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B23093_2_007B2309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B35023_2_007B3502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007BC5FE3_2_007BC5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D03F13_2_007D03F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B55E83_2_007B55E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CBFE83_2_007CBFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007BA3DF3_2_007BA3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D25C33_2_007D25C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B6FC43_2_007B6FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CB1B53_2_007CB1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007BBFB63_2_007BBFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C7BB23_2_007C7BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C4BAA3_2_007C4BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C9DA13_2_007C9DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C2FA23_2_007C2FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CD99A3_2_007CD99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007BFD913_2_007BFD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CB3973_2_007CB397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D11933_2_007D1193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C4D8D3_2_007C4D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B758F3_2_007B758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B4F8E3_2_007B4F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B93843_2_007B9384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063441E4_2_0063441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064CAA84_2_0064CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006443B34_2_006443B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064406E4_2_0064406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00631C764_2_00631C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006320434_2_00632043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00632A464_2_00632A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064E4414_2_0064E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006338454_2_00633845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063A0484_2_0063A048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00639A574_2_00639A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006326544_2_00632654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063D2234_2_0063D223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00639E224_2_00639E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006452204_2_00645220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063EC274_2_0063EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00651A3C4_2_00651A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064F83F4_2_0064F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00634C004_2_00634C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00631A0A4_2_00631A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063220A4_2_0063220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00638C094_2_00638C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00641C104_2_00641C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063F41F4_2_0063F41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063E21C4_2_0063E21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064ECE34_2_0064ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064AEEB4_2_0064AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064DEF44_2_0064DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064A8F04_2_0064A8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006330F64_2_006330F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064BEC94_2_0064BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064CCD44_2_0064CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006508D14_2_006508D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00647ED14_2_00647ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00640ADE4_2_00640ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006478A54_2_006478A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063FEA04_2_0063FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064D6A74_2_0064D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063DAAE4_2_0063DAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006444AA4_2_006444AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00635AB24_2_00635AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006498BD4_2_006498BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006490BA4_2_006490BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006372834_2_00637283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006506874_2_00650687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00644E8A4_2_00644E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064748A4_2_0064748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063CC8D4_2_0063CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00633C914_2_00633C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064D0914_2_0064D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063AC954_2_0063AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064AC9B4_2_0064AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064056A4_2_0064056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00641F6B4_2_00641F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064577E4_2_0064577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006333454_2_00633345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006513434_2_00651343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064F14D4_2_0064F14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063C1584_2_0063C158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00633F5C4_2_00633F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006359234_2_00635923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00636B254_2_00636B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0065292B4_2_0065292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00650B344_2_00650B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006335024_2_00633502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006323094_2_00632309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064FD104_2_0064FD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063251C4_2_0063251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006355E84_2_006355E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064BFE84_2_0064BFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006503F14_2_006503F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063C5FE4_2_0063C5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006525C34_2_006525C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00636FC44_2_00636FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063A3DF4_2_0063A3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00649DA14_2_00649DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00642FA24_2_00642FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00644BAA4_2_00644BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064B1B54_2_0064B1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063BFB64_2_0063BFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00647BB24_2_00647BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006393844_2_00639384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00644D8D4_2_00644D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063758F4_2_0063758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00634F8E4_2_00634F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063FD914_2_0063FD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064B3974_2_0064B397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006511934_2_00651193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064D99A4_2_0064D99A
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E7E52A0 appears 49 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E7E52A0 appears 49 times
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 98%
                      Source: tUJXpPwU27.dllBinary or memory string: OriginalFilenameOnqeyxlcnp.dll6 vs tUJXpPwU27.dll
                      Source: tUJXpPwU27.dllVirustotal: Detection: 41%
                      Source: tUJXpPwU27.dllReversingLabs: Detection: 48%
                      Source: tUJXpPwU27.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tUJXpPwU27.dll,Control_RunDLL
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tUJXpPwU27.dll,aocchppr
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tUJXpPwU27.dll,atibsyaucowikobny
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cilqlpbnkp\gwjznuxweg.czu",ligDrVSARhbsLaD
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Cilqlpbnkp\gwjznuxweg.czu",Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tUJXpPwU27.dll,Control_RunDLLJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tUJXpPwU27.dll,aocchpprJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tUJXpPwU27.dll,atibsyaucowikobnyJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLLJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cilqlpbnkp\gwjznuxweg.czu",ligDrVSARhbsLaDJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLLJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLLJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLLJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Cilqlpbnkp\gwjznuxweg.czu",Control_RunDLLJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                      Source: classification engineClassification label: mal88.troj.evad.winDLL@26/0@0/20
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7E32C0 CoCreateInstance,0_2_6E7E32C0
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tUJXpPwU27.dll,Control_RunDLL
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7DE200 LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,0_2_6E7DE200
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: tUJXpPwU27.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: tUJXpPwU27.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: tUJXpPwU27.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: tUJXpPwU27.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: tUJXpPwU27.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: tUJXpPwU27.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E807737 push ecx; ret 0_2_6E80774A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7E52E6 push ecx; ret 0_2_6E7E52F9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E807737 push ecx; ret 2_2_6E80774A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7E52E6 push ecx; ret 2_2_6E7E52F9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B1229 push eax; retf 3_2_007B129A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00631229 push eax; retf 4_2_0063129A
                      Source: tUJXpPwU27.dllStatic PE information: real checksum: 0x7f301 should be: 0x82190
                      Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Cilqlpbnkp\gwjznuxweg.czuJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Cilqlpbnkp\gwjznuxweg.czu:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7E7307 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_6E7E7307
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Tries to detect virtualization through RDTSC time measurementsShow sources
                      Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 000000006E7D6482 second address: 000000006E7D64B3 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FD9E483B642h 0x0000000a mov dword ptr [ebp-20h], 09705DBFh 0x00000011 rdtscp
                      Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 000000006E7D8047 second address: 000000006E7D805A instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FD9E483859Eh 0x00000007 rdtscp
                      Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 000000006E7D805A second address: 000000006E7D8047 instructions: 0x00000000 rdtscp 0x00000003 mov ecx, dword ptr [esp+0Ch] 0x00000007 ror esi, 0Dh 0x0000000a mov eax, esi 0x0000000c pop esi 0x0000000d xor ecx, esp 0x0000000f call 00007FD9E48479C1h 0x00000014 cmp ecx, dword ptr [6E81E008h] 0x0000001a jne 00007FD9E483B625h 0x0000001d ret 0x0000001f mov esp, ebp 0x00000021 pop ebp 0x00000022 ret 0x00000023 mov edx, dword ptr [ebp-24h] 0x00000026 mov edi, eax 0x00000028 jmp 00007FD9E483B691h 0x0000002a mov al, byte ptr [esi] 0x0000002c cmp al, 61h 0x0000002e movzx eax, al 0x00000031 jc 00007FD9E483B625h 0x00000033 add edi, FFFFFFE0h 0x00000036 mov ecx, dword ptr [ebp-18h] 0x00000039 add edi, eax 0x0000003b mov eax, dword ptr [ebp-50h] 0x0000003e inc esi 0x0000003f add ecx, 0000FFFFh 0x00000045 mov dword ptr [ebp-34h], edi 0x00000048 mov dword ptr [ebp-44h], esi 0x0000004b mov dword ptr [ebp-74h], esi 0x0000004e mov dword ptr [ebp-18h], ecx 0x00000051 test cx, cx 0x00000054 jne 00007FD9E483B56Fh 0x0000005a cmp eax, dword ptr [ebp-30h] 0x0000005d jl 00007FD9E483B635h 0x0000005f mov edx, 0000000Dh 0x00000064 mov ecx, edi 0x00000066 call 00007FD9E483CF8Eh 0x0000006b push ebp 0x0000006c mov ebp, esp 0x0000006e and esp, FFFFFFF8h 0x00000071 sub esp, 0Ch 0x00000074 mov eax, dword ptr [6E81E008h] 0x00000079 xor eax, esp 0x0000007b mov dword ptr [esp+08h], eax 0x0000007f push esi 0x00000080 mov esi, ecx 0x00000082 rdtscp
                      Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 000000006E7D6482 second address: 000000006E7D64B3 instructions: