Loading ...

Play interactive tourEdit tour

Windows Analysis Report tUJXpPwU27

Overview

General Information

Sample Name:tUJXpPwU27 (renamed file extension from none to dll)
Analysis ID:528351
MD5:15239e7be7ce6bfaf0681eb66bcde356
SHA1:55dc2a27f408bf6437224ecfc62cc01a3311ec08
SHA256:79036368e6229fa1c4eb724a34e4d10973feaa85628058f4ac1eaac6c1fcf19c
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Emotet
Sigma detected: Emotet RunDLL32 Process Creation
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6984 cmdline: loaddll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 6996 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 7016 cmdline: rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6044 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7004 cmdline: rundll32.exe C:\Users\user\Desktop\tUJXpPwU27.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6696 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cilqlpbnkp\gwjznuxweg.czu",ligDrVSARhbsLaD MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 5904 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Cilqlpbnkp\gwjznuxweg.czu",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7068 cmdline: rundll32.exe C:\Users\user\Desktop\tUJXpPwU27.dll,aocchppr MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 4972 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7088 cmdline: rundll32.exe C:\Users\user\Desktop\tUJXpPwU27.dll,atibsyaucowikobny MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 4664 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7128 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 6336 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6424 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5252 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1000235837.000000000099C000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000003.00000002.977580541.0000000002CEA000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000002.00000002.997848622.0000000002E95000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000004.00000002.997168710.00000000006AA000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000008.00000002.1134773374.0000000000A6A000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.rundll32.exe.a85f00.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              4.2.rundll32.exe.6c4390.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                5.2.rundll32.exe.8b4350.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  4.2.rundll32.exe.6c4390.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    5.2.rundll32.exe.8b4350.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Emotet RunDLL32 Process CreationShow sources
                      Source: Process startedAuthor: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Cilqlpbnkp\gwjznuxweg.czu",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Cilqlpbnkp\gwjznuxweg.czu",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cilqlpbnkp\gwjznuxweg.czu",ligDrVSARhbsLaD, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 6696, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Cilqlpbnkp\gwjznuxweg.czu",Control_RunDLL, ProcessId: 5904

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 3.2.rundll32.exe.2d042a8.1.raw.unpackMalware Configuration Extractor: Emotet {"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: tUJXpPwU27.dllVirustotal: Detection: 41%Perma Link
                      Source: tUJXpPwU27.dllReversingLabs: Detection: 48%
                      Source: tUJXpPwU27.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: tUJXpPwU27.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7FC8C1 FindFirstFileExA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7FC8C1 FindFirstFileExA,

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 51.178.61.60:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 45.79.33.48:8080
                      Source: Malware configuration extractorIPs: 196.44.98.190:8080
                      Source: Malware configuration extractorIPs: 177.72.80.14:7080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.169.10:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: EcobandGH EcobandGH
                      Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 196.44.98.190 196.44.98.190
                      Source: Joe Sandbox ViewIP Address: 78.46.73.125 78.46.73.125

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 8.2.rundll32.exe.a85f00.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6c4390.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.8b4350.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6c4390.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.8b4350.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2d042a8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2d042a8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.a85f00.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1000235837.000000000099C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.977580541.0000000002CEA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.997848622.0000000002E95000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.997168710.00000000006AA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1134773374.0000000000A6A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.998474628.000000000089A000.00000004.00000020.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: tUJXpPwU27.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Cilqlpbnkp\gwjznuxweg.czu:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Cilqlpbnkp\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7D6430
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7D5580
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7F2E50
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E800FF9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7E9F89
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7E9CDF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7DED30
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7FBDD1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7D28D0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7E98C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7E996D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E802744
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7EA50B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7EA250
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7ED32D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7E7307
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7E1300
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7ED0FD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7D6430
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7D5580
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7F2E50
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E800FF9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7E9F89
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7E9CDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7DED30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7FBDD1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7D28D0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7E98C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7E996D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E802744
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7EA50B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7EA250
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7ED32D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7E7307
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7E1300
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7ED0FD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CCAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C43B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B1C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B9A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B2654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007BA048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B2043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B2A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CE441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B3845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D1A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CF83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007BD223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B9E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C5220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007BEC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007BF41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007BE21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C1C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B1A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B8C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B4C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CDEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CA8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B30F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CAEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C0ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CCCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D08D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C7ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CBEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C98BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C90BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B5AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007BDAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C44AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C78A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007BFEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CD6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CAC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B3C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CD091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007BAC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C4E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007BCC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B7283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D0687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C1F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007BC158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B3F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CF14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B3345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D1343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D0B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B5923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B6B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CFD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B2309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B3502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007BC5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D03F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B55E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CBFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007BA3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D25C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B6FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CB1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007BBFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C7BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C4BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C9DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C2FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CD99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007BFD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CB397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D1193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C4D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B4F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B9384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006443B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00631C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00632043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00632A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00633845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063A048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00639A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00632654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063D223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00639E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00645220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00651A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00634C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00631A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00638C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00641C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063F41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063E21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064A8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006330F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006508D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00647ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00640ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006478A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063DAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006444AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00635AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006498BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006490BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00637283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00650687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00644E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00633C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00641F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00633345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00651343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064F14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063C158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00633F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00635923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00636B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0065292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00650B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00633502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00632309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064FD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006355E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064BFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006503F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063C5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006525C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00636FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063A3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00649DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00642FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00644BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064B1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063BFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00647BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00639384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00644D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00634F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0063FD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064B397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00651193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064D99A
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E7E52A0 appears 49 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E7E52A0 appears 49 times
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 98%
                      Source: tUJXpPwU27.dllBinary or memory string: OriginalFilenameOnqeyxlcnp.dll6 vs tUJXpPwU27.dll
                      Source: tUJXpPwU27.dllVirustotal: Detection: 41%
                      Source: tUJXpPwU27.dllReversingLabs: Detection: 48%
                      Source: tUJXpPwU27.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tUJXpPwU27.dll,Control_RunDLL
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tUJXpPwU27.dll,aocchppr
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tUJXpPwU27.dll,atibsyaucowikobny
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cilqlpbnkp\gwjznuxweg.czu",ligDrVSARhbsLaD
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Cilqlpbnkp\gwjznuxweg.czu",Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tUJXpPwU27.dll,Control_RunDLL
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tUJXpPwU27.dll,aocchppr
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tUJXpPwU27.dll,atibsyaucowikobny
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cilqlpbnkp\gwjznuxweg.czu",ligDrVSARhbsLaD
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Cilqlpbnkp\gwjznuxweg.czu",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                      Source: classification engineClassification label: mal88.troj.evad.winDLL@26/0@0/20
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7E32C0 CoCreateInstance,
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tUJXpPwU27.dll,Control_RunDLL
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7DE200 LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: tUJXpPwU27.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: tUJXpPwU27.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: tUJXpPwU27.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: tUJXpPwU27.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: tUJXpPwU27.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: tUJXpPwU27.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E807737 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7E52E6 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E807737 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7E52E6 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007B1229 push eax; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00631229 push eax; retf
                      Source: tUJXpPwU27.dllStatic PE information: real checksum: 0x7f301 should be: 0x82190
                      Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Cilqlpbnkp\gwjznuxweg.czuJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Cilqlpbnkp\gwjznuxweg.czu:Zone.Identifier read attributes | delete
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7E7307 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Tries to detect virtualization through RDTSC time measurementsShow sources
                      Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 000000006E7D6482 second address: 000000006E7D64B3 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FD9E483B642h 0x0000000a mov dword ptr [ebp-20h], 09705DBFh 0x00000011 rdtscp
                      Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 000000006E7D8047 second address: 000000006E7D805A instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FD9E483859Eh 0x00000007 rdtscp
                      Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 000000006E7D805A second address: 000000006E7D8047 instructions: 0x00000000 rdtscp 0x00000003 mov ecx, dword ptr [esp+0Ch] 0x00000007 ror esi, 0Dh 0x0000000a mov eax, esi 0x0000000c pop esi 0x0000000d xor ecx, esp 0x0000000f call 00007FD9E48479C1h 0x00000014 cmp ecx, dword ptr [6E81E008h] 0x0000001a jne 00007FD9E483B625h 0x0000001d ret 0x0000001f mov esp, ebp 0x00000021 pop ebp 0x00000022 ret 0x00000023 mov edx, dword ptr [ebp-24h] 0x00000026 mov edi, eax 0x00000028 jmp 00007FD9E483B691h 0x0000002a mov al, byte ptr [esi] 0x0000002c cmp al, 61h 0x0000002e movzx eax, al 0x00000031 jc 00007FD9E483B625h 0x00000033 add edi, FFFFFFE0h 0x00000036 mov ecx, dword ptr [ebp-18h] 0x00000039 add edi, eax 0x0000003b mov eax, dword ptr [ebp-50h] 0x0000003e inc esi 0x0000003f add ecx, 0000FFFFh 0x00000045 mov dword ptr [ebp-34h], edi 0x00000048 mov dword ptr [ebp-44h], esi 0x0000004b mov dword ptr [ebp-74h], esi 0x0000004e mov dword ptr [ebp-18h], ecx 0x00000051 test cx, cx 0x00000054 jne 00007FD9E483B56Fh 0x0000005a cmp eax, dword ptr [ebp-30h] 0x0000005d jl 00007FD9E483B635h 0x0000005f mov edx, 0000000Dh 0x00000064 mov ecx, edi 0x00000066 call 00007FD9E483CF8Eh 0x0000006b push ebp 0x0000006c mov ebp, esp 0x0000006e and esp, FFFFFFF8h 0x00000071 sub esp, 0Ch 0x00000074 mov eax, dword ptr [6E81E008h] 0x00000079 xor eax, esp 0x0000007b mov dword ptr [esp+08h], eax 0x0000007f push esi 0x00000080 mov esi, ecx 0x00000082 rdtscp
                      Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 000000006E7D6482 second address: 000000006E7D64B3 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FD9E48385B2h 0x0000000a mov dword ptr [ebp-20h], 09705DBFh 0x00000011 rdtscp
                      Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 000000006E7D8047 second address: 000000006E7D805A instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FD9E483B62Eh 0x00000007 rdtscp
                      Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 000000006E7D805A second address: 000000006E7D8047 instructions: 0x00000000 rdtscp 0x00000003 mov ecx, dword ptr [esp+0Ch] 0x00000007 ror esi, 0Dh 0x0000000a mov eax, esi 0x0000000c pop esi 0x0000000d xor ecx, esp 0x0000000f call 00007FD9E4844931h 0x00000014 cmp ecx, dword ptr [6E81E008h] 0x0000001a jne 00007FD9E4838595h 0x0000001d ret 0x0000001f mov esp, ebp 0x00000021 pop ebp 0x00000022 ret 0x00000023 mov edx, dword ptr [ebp-24h] 0x00000026 mov edi, eax 0x00000028 jmp 00007FD9E4838601h 0x0000002a mov al, byte ptr [esi] 0x0000002c cmp al, 61h 0x0000002e movzx eax, al 0x00000031 jc 00007FD9E4838595h 0x00000033 add edi, FFFFFFE0h 0x00000036 mov ecx, dword ptr [ebp-18h] 0x00000039 add edi, eax 0x0000003b mov eax, dword ptr [ebp-50h] 0x0000003e inc esi 0x0000003f add ecx, 0000FFFFh 0x00000045 mov dword ptr [ebp-34h], edi 0x00000048 mov dword ptr [ebp-44h], esi 0x0000004b mov dword ptr [ebp-74h], esi 0x0000004e mov dword ptr [ebp-18h], ecx 0x00000051 test cx, cx 0x00000054 jne 00007FD9E48384DFh 0x0000005a cmp eax, dword ptr [ebp-30h] 0x0000005d jl 00007FD9E48385A5h 0x0000005f mov edx, 0000000Dh 0x00000064 mov ecx, edi 0x00000066 call 00007FD9E4839EFEh 0x0000006b push ebp 0x0000006c mov ebp, esp 0x0000006e and esp, FFFFFFF8h 0x00000071 sub esp, 0Ch 0x00000074 mov eax, dword ptr [6E81E008h] 0x00000079 xor eax, esp 0x0000007b mov dword ptr [esp+08h], eax 0x0000007f push esi 0x00000080 mov esi, ecx 0x00000082 rdtscp
                      Source: C:\Windows\System32\loaddll32.exeRDTSC instruction interceptor: First address: 000000006E7D6482 second address: 000000006E7D64B3 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FD9E483B642h 0x0000000a mov dword ptr [ebp-20h], 09705DBFh 0x00000011 rdtscp
                      Source: C:\Windows\System32\loaddll32.exeRDTSC instruction interceptor: First address: 000000006E7D8047 second address: 000000006E7D805A instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FD9E483859Eh 0x00000007 rdtscp
                      Source: C:\Windows\System32\loaddll32.exeRDTSC instruction interceptor: First address: 000000006E7D805A second address: 000000006E7D8047 instructions: 0x00000000 rdtscp 0x00000003 mov ecx, dword ptr [esp+0Ch] 0x00000007 ror esi, 0Dh 0x0000000a mov eax, esi 0x0000000c pop esi 0x0000000d xor ecx, esp 0x0000000f call 00007FD9E48479C1h 0x00000014 cmp ecx, dword ptr [6E81E008h] 0x0000001a jne 00007FD9E483B625h 0x0000001d ret 0x0000001f mov esp, ebp 0x00000021 pop ebp 0x00000022 ret 0x00000023 mov edx, dword ptr [ebp-24h] 0x00000026 mov edi, eax 0x00000028 jmp 00007FD9E483B691h 0x0000002a mov al, byte ptr [esi] 0x0000002c cmp al, 61h 0x0000002e movzx eax, al 0x00000031 jc 00007FD9E483B625h 0x00000033 add edi, FFFFFFE0h 0x00000036 mov ecx, dword ptr [ebp-18h] 0x00000039 add edi, eax 0x0000003b mov eax, dword ptr [ebp-50h] 0x0000003e inc esi 0x0000003f add ecx, 0000FFFFh 0x00000045 mov dword ptr [ebp-34h], edi 0x00000048 mov dword ptr [ebp-44h], esi 0x0000004b mov dword ptr [ebp-74h], esi 0x0000004e mov dword ptr [ebp-18h], ecx 0x00000051 test cx, cx 0x00000054 jne 00007FD9E483B56Fh 0x0000005a cmp eax, dword ptr [ebp-30h] 0x0000005d jl 00007FD9E483B635h 0x0000005f mov edx, 0000000Dh 0x00000064 mov ecx, edi 0x00000066 call 00007FD9E483CF8Eh 0x0000006b push ebp 0x0000006c mov ebp, esp 0x0000006e and esp, FFFFFFF8h 0x00000071 sub esp, 0Ch 0x00000074 mov eax, dword ptr [6E81E008h] 0x00000079 xor eax, esp 0x0000007b mov dword ptr [esp+08h], eax 0x0000007f push esi 0x00000080 mov esi, ecx 0x00000082 rdtscp
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7D6430 rdtscp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7FC8C1 FindFirstFileExA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7FC8C1 FindFirstFileExA,
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation

                      Anti Debugging:

                      barindex
                      Found potential dummy code loops (likely to delay analysis)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 90% for more than 60s
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7E78AF IsDebuggerPresent,OutputDebugStringW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7E7C71 GetProcessHeap,HeapFree,
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7D6430 rdtscp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7D6430 mov edi, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7E7B5A mov esi, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7D6320 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7F607A mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7D8080 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7D6430 mov edi, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7E7B5A mov esi, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7D6320 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7F607A mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7D8080 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CDE10 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0064DE10 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7E48F9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7EE411 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7E517D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7E48F9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7EE411 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7E517D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",#1
                      Source: rundll32.exe, 00000012.00000002.1171696447.00000000030F0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: rundll32.exe, 00000012.00000002.1171696447.00000000030F0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: rundll32.exe, 00000012.00000002.1171696447.00000000030F0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: rundll32.exe, 00000012.00000002.1171696447.00000000030F0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\loaddll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7E4FD6 cpuid
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7E52FC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 8.2.rundll32.exe.a85f00.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6c4390.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.8b4350.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6c4390.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.8b4350.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2d042a8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2d042a8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.a85f00.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1000235837.000000000099C000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.977580541.0000000002CEA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.997848622.0000000002E95000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.997168710.00000000006AA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1134773374.0000000000A6A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.998474628.000000000089A000.00000004.00000020.sdmp, type: MEMORY
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7D1890 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E7D1890 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management InstrumentationApplication Shimming1Process Injection12Masquerading2OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsApplication Shimming1Virtualization/Sandbox Evasion11LSASS MemorySecurity Software Discovery23Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerVirtualization/Sandbox Evasion11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Information Discovery123VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsRundll321DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 528351 Sample: tUJXpPwU27 Startdate: 25/11/2021 Architecture: WINDOWS Score: 88 39 85.214.67.203 STRATOSTRATOAGDE Germany 2->39 41 195.154.146.35 OnlineSASFR France 2->41 43 18 other IPs or domains 2->43 51 Sigma detected: Emotet RunDLL32 Process Creation 2->51 53 Found malware configuration 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 2 other signatures 2->57 9 loaddll32.exe 1 2->9         started        12 svchost.exe 1 2->12         started        14 svchost.exe 1 2->14         started        16 svchost.exe 1 2->16         started        signatures3 process4 signatures5 59 Tries to detect virtualization through RDTSC time measurements 9->59 18 rundll32.exe 2 9->18         started        21 cmd.exe 1 9->21         started        23 rundll32.exe 9->23         started        25 2 other processes 9->25 process6 signatures7 45 Found potential dummy code loops (likely to delay analysis) 18->45 47 Tries to detect virtualization through RDTSC time measurements 18->47 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->49 27 rundll32.exe 18->27         started        29 rundll32.exe 21->29         started        31 rundll32.exe 23->31         started        33 rundll32.exe 25->33         started        process8 process9 35 rundll32.exe 27->35         started        37 rundll32.exe 29->37         started       

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      tUJXpPwU27.dll42%VirustotalBrowse
                      tUJXpPwU27.dll49%ReversingLabsWin32.Trojan.Emotet

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      8.2.rundll32.exe.9e0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      4.2.rundll32.exe.630000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      5.2.rundll32.exe.810000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      2.2.rundll32.exe.2c60000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.2.loaddll32.exe.910000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      3.2.rundll32.exe.7b0000.0.unpack100%AviraHEUR/AGEN.1110387Download File

                      Domains

                      No Antivirus matches

                      URLs

                      No Antivirus matches

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public

                      IPDomainCountryFlagASNASN NameMalicious
                      207.148.81.119
                      unknownUnited States
                      20473AS-CHOOPAUStrue
                      196.44.98.190
                      unknownGhana
                      327814EcobandGHtrue
                      78.46.73.125
                      unknownGermany
                      24940HETZNER-ASDEtrue
                      37.59.209.141
                      unknownFrance
                      16276OVHFRtrue
                      85.214.67.203
                      unknownGermany
                      6724STRATOSTRATOAGDEtrue
                      191.252.103.16
                      unknownBrazil
                      27715LocawebServicosdeInternetSABRtrue
                      45.79.33.48
                      unknownUnited States
                      63949LINODE-APLinodeLLCUStrue
                      54.37.228.122
                      unknownFrance
                      16276OVHFRtrue
                      185.148.169.10
                      unknownGermany
                      44780EVERSCALE-ASDEtrue
                      142.4.219.173
                      unknownCanada
                      16276OVHFRtrue
                      54.38.242.185
                      unknownFrance
                      16276OVHFRtrue
                      195.154.146.35
                      unknownFrance
                      12876OnlineSASFRtrue
                      195.77.239.39
                      unknownSpain
                      60493FICOSA-ASEStrue
                      78.47.204.80
                      unknownGermany
                      24940HETZNER-ASDEtrue
                      168.197.250.14
                      unknownArgentina
                      264776OmarAnselmoRipollTDCNETARtrue
                      51.178.61.60
                      unknownFrance
                      16276OVHFRtrue
                      177.72.80.14
                      unknownBrazil
                      262543NewLifeFibraBRtrue
                      66.42.57.149
                      unknownUnited States
                      20473AS-CHOOPAUStrue
                      37.44.244.177
                      unknownGermany
                      47583AS-HOSTINGERLTtrue
                      51.210.242.234
                      unknownFrance
                      16276OVHFRtrue

                      General Information

                      Joe Sandbox Version:34.0.0 Boulder Opal
                      Analysis ID:528351
                      Start date:25.11.2021
                      Start time:05:11:12
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 10m 34s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Sample file name:tUJXpPwU27 (renamed file extension from none to dll)
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:21
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal88.troj.evad.winDLL@26/0@0/20
                      EGA Information:Failed
                      HDC Information:
                      • Successful, ratio: 14% (good quality ratio 12.5%)
                      • Quality average: 67.9%
                      • Quality standard deviation: 30.6%
                      HCA Information:
                      • Successful, ratio: 69%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Override analysis time to 240s for rundll32
                      Warnings:
                      Show All
                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe
                      • Excluded IPs from analysis (whitelisted): 20.54.110.249, 52.251.79.25
                      • Excluded domains from analysis (whitelisted): consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      207.148.81.119pYebrdRKvR.dllGet hashmaliciousBrowse
                        pPX9DaPVYj.dllGet hashmaliciousBrowse
                          wUKXjICs5f.dllGet hashmaliciousBrowse
                            cRC6TZG6Wx.dllGet hashmaliciousBrowse
                              qrb6jVwzoe.dllGet hashmaliciousBrowse
                                1711.docGet hashmaliciousBrowse
                                  GQwxmGZFvtg.dllGet hashmaliciousBrowse
                                    wNjqkrm8pH.dllGet hashmaliciousBrowse
                                      5YO8hZg21O.dllGet hashmaliciousBrowse
                                        dUGnMYeP1C.dllGet hashmaliciousBrowse
                                          yFAXc9z51V.dllGet hashmaliciousBrowse
                                            9fC0as7YLE.dllGet hashmaliciousBrowse
                                              FIyE6huzxV.dllGet hashmaliciousBrowse
                                                V0gZWRXv8d.dllGet hashmaliciousBrowse
                                                  t5EuQW2GUF.dllGet hashmaliciousBrowse
                                                    uh1WyesPlh.dllGet hashmaliciousBrowse
                                                      8rryPzJR1p.dllGet hashmaliciousBrowse
                                                        a65FgjVus4.dllGet hashmaliciousBrowse
                                                          bWjYh6H8wk.dllGet hashmaliciousBrowse
                                                            ZJOHKItBoJ.dllGet hashmaliciousBrowse
                                                              196.44.98.190pYebrdRKvR.dllGet hashmaliciousBrowse
                                                                pPX9DaPVYj.dllGet hashmaliciousBrowse
                                                                  wUKXjICs5f.dllGet hashmaliciousBrowse
                                                                    cRC6TZG6Wx.dllGet hashmaliciousBrowse
                                                                      qrb6jVwzoe.dllGet hashmaliciousBrowse
                                                                        1711.docGet hashmaliciousBrowse
                                                                          GQwxmGZFvtg.dllGet hashmaliciousBrowse
                                                                            wNjqkrm8pH.dllGet hashmaliciousBrowse
                                                                              5YO8hZg21O.dllGet hashmaliciousBrowse
                                                                                dUGnMYeP1C.dllGet hashmaliciousBrowse
                                                                                  yFAXc9z51V.dllGet hashmaliciousBrowse
                                                                                    9fC0as7YLE.dllGet hashmaliciousBrowse
                                                                                      FIyE6huzxV.dllGet hashmaliciousBrowse
                                                                                        V0gZWRXv8d.dllGet hashmaliciousBrowse
                                                                                          t5EuQW2GUF.dllGet hashmaliciousBrowse
                                                                                            uh1WyesPlh.dllGet hashmaliciousBrowse
                                                                                              8rryPzJR1p.dllGet hashmaliciousBrowse
                                                                                                a65FgjVus4.dllGet hashmaliciousBrowse
                                                                                                  bWjYh6H8wk.dllGet hashmaliciousBrowse
                                                                                                    ZJOHKItBoJ.dllGet hashmaliciousBrowse
                                                                                                      78.46.73.125pYebrdRKvR.dllGet hashmaliciousBrowse
                                                                                                        pPX9DaPVYj.dllGet hashmaliciousBrowse
                                                                                                          wUKXjICs5f.dllGet hashmaliciousBrowse
                                                                                                            cRC6TZG6Wx.dllGet hashmaliciousBrowse
                                                                                                              qrb6jVwzoe.dllGet hashmaliciousBrowse
                                                                                                                1711.docGet hashmaliciousBrowse
                                                                                                                  GQwxmGZFvtg.dllGet hashmaliciousBrowse
                                                                                                                    wNjqkrm8pH.dllGet hashmaliciousBrowse
                                                                                                                      5YO8hZg21O.dllGet hashmaliciousBrowse
                                                                                                                        dUGnMYeP1C.dllGet hashmaliciousBrowse
                                                                                                                          yFAXc9z51V.dllGet hashmaliciousBrowse
                                                                                                                            9fC0as7YLE.dllGet hashmaliciousBrowse
                                                                                                                              FIyE6huzxV.dllGet hashmaliciousBrowse
                                                                                                                                V0gZWRXv8d.dllGet hashmaliciousBrowse
                                                                                                                                  t5EuQW2GUF.dllGet hashmaliciousBrowse
                                                                                                                                    uh1WyesPlh.dllGet hashmaliciousBrowse
                                                                                                                                      8rryPzJR1p.dllGet hashmaliciousBrowse
                                                                                                                                        a65FgjVus4.dllGet hashmaliciousBrowse
                                                                                                                                          bWjYh6H8wk.dllGet hashmaliciousBrowse
                                                                                                                                            ZJOHKItBoJ.dllGet hashmaliciousBrowse

                                                                                                                                              Domains

                                                                                                                                              No context

                                                                                                                                              ASN

                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                              HETZNER-ASDELZxr7xI4nc.exeGet hashmaliciousBrowse
                                                                                                                                              • 5.9.162.45
                                                                                                                                              3E8869030B9C89B8C43E9F8A6730A516E3945AB1272E3.exeGet hashmaliciousBrowse
                                                                                                                                              • 5.9.162.45
                                                                                                                                              5A15ECE1649A5EF54B70B95D9D413BAD068B8C1C932E2.exeGet hashmaliciousBrowse
                                                                                                                                              • 5.9.162.45
                                                                                                                                              23062BA932165210EBB3FFCD15474E79F19E6AD74869F.exeGet hashmaliciousBrowse
                                                                                                                                              • 5.9.162.45
                                                                                                                                              exe.exeGet hashmaliciousBrowse
                                                                                                                                              • 116.202.203.61
                                                                                                                                              J73PTzDghy.exeGet hashmaliciousBrowse
                                                                                                                                              • 94.130.138.146
                                                                                                                                              piPvSLcFXV.exeGet hashmaliciousBrowse
                                                                                                                                              • 88.99.210.172
                                                                                                                                              fkYZ7hyvnD.exeGet hashmaliciousBrowse
                                                                                                                                              • 116.202.14.219
                                                                                                                                              .#U266bvmail-478314QOZVOYBY30.htmGet hashmaliciousBrowse
                                                                                                                                              • 168.119.38.214
                                                                                                                                              pYebrdRKvR.dllGet hashmaliciousBrowse
                                                                                                                                              • 78.47.204.80
                                                                                                                                              pPX9DaPVYj.dllGet hashmaliciousBrowse
                                                                                                                                              • 78.47.204.80
                                                                                                                                              wUKXjICs5f.dllGet hashmaliciousBrowse
                                                                                                                                              • 78.47.204.80
                                                                                                                                              cRC6TZG6Wx.dllGet hashmaliciousBrowse
                                                                                                                                              • 78.47.204.80
                                                                                                                                              qrb6jVwzoe.dllGet hashmaliciousBrowse
                                                                                                                                              • 78.47.204.80
                                                                                                                                              copy_tt_inv_10192ne.exeGet hashmaliciousBrowse
                                                                                                                                              • 49.12.42.56
                                                                                                                                              FACTURAS.exeGet hashmaliciousBrowse
                                                                                                                                              • 116.202.203.61
                                                                                                                                              wE3YzRd1IZ.exeGet hashmaliciousBrowse
                                                                                                                                              • 135.181.163.109
                                                                                                                                              wCkjCMnGrOGet hashmaliciousBrowse
                                                                                                                                              • 116.203.73.1
                                                                                                                                              79GRrdea5l.exeGet hashmaliciousBrowse
                                                                                                                                              • 159.69.123.221
                                                                                                                                              MtCsSK9TK2.exeGet hashmaliciousBrowse
                                                                                                                                              • 95.216.4.252
                                                                                                                                              AS-CHOOPAUSLZxr7xI4nc.exeGet hashmaliciousBrowse
                                                                                                                                              • 149.28.253.196
                                                                                                                                              3E8869030B9C89B8C43E9F8A6730A516E3945AB1272E3.exeGet hashmaliciousBrowse
                                                                                                                                              • 149.28.253.196
                                                                                                                                              5A15ECE1649A5EF54B70B95D9D413BAD068B8C1C932E2.exeGet hashmaliciousBrowse
                                                                                                                                              • 149.28.253.196
                                                                                                                                              asbestos_safety_and_eradication_agency_enterprise_agreement 41573 .jsGet hashmaliciousBrowse
                                                                                                                                              • 45.76.154.237
                                                                                                                                              23062BA932165210EBB3FFCD15474E79F19E6AD74869F.exeGet hashmaliciousBrowse
                                                                                                                                              • 149.28.253.196
                                                                                                                                              DA8063D9EB60622915D492542A6A8AE318BC87B4C5F89.exeGet hashmaliciousBrowse
                                                                                                                                              • 155.138.201.103
                                                                                                                                              asbestos_safety_and_eradication_agency_enterprise_agreement 64081 .jsGet hashmaliciousBrowse
                                                                                                                                              • 45.76.154.237
                                                                                                                                              pYebrdRKvR.dllGet hashmaliciousBrowse
                                                                                                                                              • 66.42.57.149
                                                                                                                                              pPX9DaPVYj.dllGet hashmaliciousBrowse
                                                                                                                                              • 66.42.57.149
                                                                                                                                              wUKXjICs5f.dllGet hashmaliciousBrowse
                                                                                                                                              • 66.42.57.149
                                                                                                                                              cRC6TZG6Wx.dllGet hashmaliciousBrowse
                                                                                                                                              • 66.42.57.149
                                                                                                                                              qrb6jVwzoe.dllGet hashmaliciousBrowse
                                                                                                                                              • 66.42.57.149
                                                                                                                                              AWB_NO_9284730932.exeGet hashmaliciousBrowse
                                                                                                                                              • 45.32.28.45
                                                                                                                                              arm6-20211124-0649Get hashmaliciousBrowse
                                                                                                                                              • 44.168.42.223
                                                                                                                                              6D2FF3CC83EA214E33E4105CCB1051CD85B82E052F615.exeGet hashmaliciousBrowse
                                                                                                                                              • 149.28.253.196
                                                                                                                                              FhP4JYCU7J.exeGet hashmaliciousBrowse
                                                                                                                                              • 149.28.253.196
                                                                                                                                              FhP4JYCU7J.exeGet hashmaliciousBrowse
                                                                                                                                              • 149.28.253.196
                                                                                                                                              bomba.armGet hashmaliciousBrowse
                                                                                                                                              • 44.168.169.161
                                                                                                                                              44E401AAF0B52528AA033257C1A1B8A09A2B10EDF26ED.exeGet hashmaliciousBrowse
                                                                                                                                              • 149.28.253.196
                                                                                                                                              77012C024869BA2639B54B959FAB1E10EBAAF8EBB9BFC.exeGet hashmaliciousBrowse
                                                                                                                                              • 149.28.253.196
                                                                                                                                              EcobandGHpYebrdRKvR.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              pPX9DaPVYj.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              wUKXjICs5f.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              cRC6TZG6Wx.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              qrb6jVwzoe.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              1711.docGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              n6J7QJs4bk.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.109.73
                                                                                                                                              GQwxmGZFvtg.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              wNjqkrm8pH.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              5YO8hZg21O.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              dUGnMYeP1C.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              yFAXc9z51V.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              9fC0as7YLE.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              FIyE6huzxV.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              V0gZWRXv8d.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              t5EuQW2GUF.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              uh1WyesPlh.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              8rryPzJR1p.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              a65FgjVus4.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              bWjYh6H8wk.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190

                                                                                                                                              JA3 Fingerprints

                                                                                                                                              No context

                                                                                                                                              Dropped Files

                                                                                                                                              No context

                                                                                                                                              Created / dropped Files

                                                                                                                                              No created / dropped files found

                                                                                                                                              Static File Info

                                                                                                                                              General

                                                                                                                                              File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                              Entropy (8bit):7.1578551978819025
                                                                                                                                              TrID:
                                                                                                                                              • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                                                                              • DOS Executable Generic (2002/1) 0.20%
                                                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                              File name:tUJXpPwU27.dll
                                                                                                                                              File size:481792
                                                                                                                                              MD5:15239e7be7ce6bfaf0681eb66bcde356
                                                                                                                                              SHA1:55dc2a27f408bf6437224ecfc62cc01a3311ec08
                                                                                                                                              SHA256:79036368e6229fa1c4eb724a34e4d10973feaa85628058f4ac1eaac6c1fcf19c
                                                                                                                                              SHA512:366168368edc0dae19f071431deb1b5a8a9141179ebf84623e8053a00915dc69ec941273658a6c2a94f897f2fc053767774a310ccf4964d3e37d545ab1ad93fa
                                                                                                                                              SSDEEP:6144:m3M5xEQPjPLlMcp8gvSaX5EAoiAO0X1Ah8JOKXDebPG0+Z0C4OGUBbiA1:m3M5Bj5Mcp8QlwiaiYe6DZrzGyWA1
                                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........k...8...8...8...9...8...9...8...9...8...9...8...9...8...9...8...9...8...9...8...8]..8/..9...8/..9...8/..8...8..e8...8/..9...

                                                                                                                                              File Icon

                                                                                                                                              Icon Hash:74f0e4ecccdce0e4

                                                                                                                                              Static PE Info

                                                                                                                                              General

                                                                                                                                              Entrypoint:0x10014ee6
                                                                                                                                              Entrypoint Section:.text
                                                                                                                                              Digitally signed:false
                                                                                                                                              Imagebase:0x10000000
                                                                                                                                              Subsystem:windows gui
                                                                                                                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                                                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                                                                              Time Stamp:0x619C8049 [Tue Nov 23 05:46:49 2021 UTC]
                                                                                                                                              TLS Callbacks:
                                                                                                                                              CLR (.Net) Version:
                                                                                                                                              OS Version Major:6
                                                                                                                                              OS Version Minor:0
                                                                                                                                              File Version Major:6
                                                                                                                                              File Version Minor:0
                                                                                                                                              Subsystem Version Major:6
                                                                                                                                              Subsystem Version Minor:0
                                                                                                                                              Import Hash:f81a3c8b673ca7b3a7f6c06eaa20660c

                                                                                                                                              Entrypoint Preview

                                                                                                                                              Instruction
                                                                                                                                              push ebp
                                                                                                                                              mov ebp, esp
                                                                                                                                              cmp dword ptr [ebp+0Ch], 01h
                                                                                                                                              jne 00007FD9E49618D7h
                                                                                                                                              call 00007FD9E4961D2Ah
                                                                                                                                              push dword ptr [ebp+10h]
                                                                                                                                              push dword ptr [ebp+0Ch]
                                                                                                                                              push dword ptr [ebp+08h]
                                                                                                                                              call 00007FD9E4961788h
                                                                                                                                              add esp, 0Ch
                                                                                                                                              pop ebp
                                                                                                                                              retn 000Ch
                                                                                                                                              push ebp
                                                                                                                                              mov ebp, esp
                                                                                                                                              push esi
                                                                                                                                              push dword ptr [ebp+08h]
                                                                                                                                              mov esi, ecx
                                                                                                                                              call 00007FD9E494DEAEh
                                                                                                                                              mov dword ptr [esi], 1003A3E8h
                                                                                                                                              mov eax, esi
                                                                                                                                              pop esi
                                                                                                                                              pop ebp
                                                                                                                                              retn 0004h
                                                                                                                                              and dword ptr [ecx+04h], 00000000h
                                                                                                                                              mov eax, ecx
                                                                                                                                              and dword ptr [ecx+08h], 00000000h
                                                                                                                                              mov dword ptr [ecx+04h], 1003A3F0h
                                                                                                                                              mov dword ptr [ecx], 1003A3E8h
                                                                                                                                              ret
                                                                                                                                              push ebp
                                                                                                                                              mov ebp, esp
                                                                                                                                              push esi
                                                                                                                                              push dword ptr [ebp+08h]
                                                                                                                                              mov esi, ecx
                                                                                                                                              call 00007FD9E494DE7Bh
                                                                                                                                              mov dword ptr [esi], 1003A404h
                                                                                                                                              mov eax, esi
                                                                                                                                              pop esi
                                                                                                                                              pop ebp
                                                                                                                                              retn 0004h
                                                                                                                                              and dword ptr [ecx+04h], 00000000h
                                                                                                                                              mov eax, ecx
                                                                                                                                              and dword ptr [ecx+08h], 00000000h
                                                                                                                                              mov dword ptr [ecx+04h], 1003A40Ch
                                                                                                                                              mov dword ptr [ecx], 1003A404h
                                                                                                                                              ret
                                                                                                                                              push ebp
                                                                                                                                              mov ebp, esp
                                                                                                                                              push esi
                                                                                                                                              mov esi, ecx
                                                                                                                                              lea eax, dword ptr [esi+04h]
                                                                                                                                              mov dword ptr [esi], 1003A3DCh
                                                                                                                                              push eax
                                                                                                                                              call 00007FD9E4964FE6h
                                                                                                                                              test byte ptr [ebp+08h], 00000001h
                                                                                                                                              pop ecx
                                                                                                                                              je 00007FD9E49618DCh
                                                                                                                                              push 0000000Ch
                                                                                                                                              push esi
                                                                                                                                              call 00007FD9E4960D5Dh
                                                                                                                                              pop ecx
                                                                                                                                              pop ecx
                                                                                                                                              mov eax, esi
                                                                                                                                              pop esi
                                                                                                                                              pop ebp
                                                                                                                                              retn 0004h
                                                                                                                                              push ebp
                                                                                                                                              mov ebp, esp
                                                                                                                                              sub esp, 0Ch
                                                                                                                                              lea ecx, dword ptr [ebp-0Ch]
                                                                                                                                              call 00007FD9E496184Fh
                                                                                                                                              push 0004BB5Ch

                                                                                                                                              Data Directories

                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x4c6200x31c.rdata
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x4c93c0xb4.rdata
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x510000x24410.rsrc
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x760000x3324.reloc
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x488180x40.rdata
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x3a0000x2fc.rdata
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                              Sections

                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                              .text0x10000x389dc0x38a00False0.532840956126data6.65955400705IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                              .rdata0x3a0000x139700x13a00False0.462567177548data5.41826950668IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                              .data0x4e0000x252c0x1800False0.224446614583data3.84154709275IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                              .rsrc0x510000x244100x24600False0.810030068729data7.73179054959IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                              .reloc0x760000x33240x3400False0.706280048077data6.57246100993IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                              Resources

                                                                                                                                              NameRVASizeTypeLanguageCountry
                                                                                                                                              REGISTRY0x748d00x98ASCII text, with CRLF line terminatorsEnglishUnited States
                                                                                                                                              REGISTRY0x749680x260ASCII text, with CRLF line terminatorsEnglishUnited States
                                                                                                                                              TYPELIB0x74bc80x69cdataEnglishUnited States
                                                                                                                                              RT_BITMAP0x512200x23467dataEnglishUnited States
                                                                                                                                              RT_STRING0x752680x26dataEnglishUnited States
                                                                                                                                              RT_VERSION0x746880x244dataEnglishUnited States
                                                                                                                                              RT_MANIFEST0x752900x17dXML 1.0 document textEnglishUnited States

                                                                                                                                              Imports

                                                                                                                                              DLLImport
                                                                                                                                              pdh.dllPdhGetFormattedCounterValue, PdhCollectQueryData, PdhCloseQuery, PdhRemoveCounter, PdhAddCounterW, PdhValidatePathW, PdhOpenQueryW
                                                                                                                                              KERNEL32.dllGetCommandLineW, GetTickCount, GetThreadLocale, GetSystemDefaultUILanguage, UnregisterApplicationRecoveryCallback, AreFileApisANSI, GetEnvironmentStringsW, GetUserDefaultUILanguage, GetCommandLineA, GetOEMCP, GetACP, IsDebuggerPresent, GetLogicalDrives, GetThreadErrorMode, MultiByteToWideChar, RaiseException, GetLastError, InitializeCriticalSectionEx, DeleteCriticalSection, DecodePointer, EnterCriticalSection, LeaveCriticalSection, LoadResource, SizeofResource, FindResourceW, GetModuleHandleW, GetProcAddress, LoadLibraryExW, GetModuleFileNameW, lstrcmpiW, FreeLibrary, MulDiv, SetLastError, TerminateProcess, SetFilePointerEx, ReadConsoleW, GetConsoleMode, GetConsoleCP, GetCurrentThreadId, FlushFileBuffers, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, FreeEnvironmentStringsW, IsValidCodePage, FindFirstFileExA, HeapReAlloc, HeapSize, GetFileType, GetStdHandle, GetModuleFileNameA, GetModuleHandleExW, ExitProcess, InterlockedFlushSList, RtlUnwind, LocalFree, LoadLibraryExA, VirtualFree, VirtualAlloc, FlushInstructionCache, InterlockedPushEntrySList, InterlockedPopEntrySList, HeapFree, HeapAlloc, OutputDebugStringW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, TlsFree, GetCurrentThread, SwitchToThread, GetCurrentProcessorNumber, GetSystemDefaultLangID, GetProcessHeap, CloseHandle, ReadFile, IsProcessorFeaturePresent, FindClose, FindNextFileA, TlsAlloc, GetTickCount64, SetStdHandle, WriteConsoleW, CreateFileW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, WriteFile, TlsSetValue, TlsGetValue, InitializeCriticalSectionAndSpinCount, EncodePointer, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentProcessId, QueryPerformanceCounter, GetStartupInfoW, GetCurrentProcess
                                                                                                                                              USER32.dllIsWow64Message, GetForegroundWindow, GetDialogBaseUnits, GetKBCodePage, CreateMenu, CallWindowProcW, DrawTextW, InsertMenuW, RegisterClassExW, LoadCursorW, GetClassInfoExW, DefWindowProcW, IsWindow, GetParent, SetTimer, ShowWindow, InvalidateRect, ReleaseDC, GetDC, EndPaint, BeginPaint, ClientToScreen, GetClientRect, SendMessageW, DestroyWindow, CreateWindowExW, GetWindowLongW, SetWindowLongW, CharNextW, UnregisterClassW, GetProcessWindowStation, GetCapture, GetShellWindow, InSendMessage, GetDesktopWindow
                                                                                                                                              GDI32.dllSetBkMode, SetTextColor, CreateFontW, DeleteDC, CreateCompatibleDC, CreateCompatibleBitmap, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, GdiFlush, BitBlt
                                                                                                                                              ADVAPI32.dllRegDeleteValueW, RegQueryInfoKeyW, RegSetValueExW, RegEnumKeyExW, RegCloseKey, RegDeleteKeyW, RegCreateKeyExW, RegOpenKeyExW
                                                                                                                                              SHELL32.dllSHGetFolderPathW, ShellExecuteW, InitNetworkAddressControl
                                                                                                                                              ole32.dllCoUninitialize, CoCreateInstance, CoInitialize, OleRun, CoTaskMemAlloc, CoTaskMemRealloc, CoTaskMemFree
                                                                                                                                              OLEAUT32.dllSysFreeString, SysAllocString, SysStringLen, VarBstrCmp, VariantInit, SysAllocStringLen, VariantCopy, VariantChangeType, VarUI4FromStr, LoadTypeLib, LoadRegTypeLib, VariantClear

                                                                                                                                              Exports

                                                                                                                                              NameOrdinalAddress
                                                                                                                                              Control_RunDLL10x10001200
                                                                                                                                              aocchppr20x100013b0
                                                                                                                                              atibsyaucowikobny30x10001420
                                                                                                                                              bvafzbibi40x10001260
                                                                                                                                              ccqnwbyae50x10001360
                                                                                                                                              cexqsfxw60x100012e0
                                                                                                                                              empowarazlgur70x10001410
                                                                                                                                              endgbqmzljghfnq80x100012a0
                                                                                                                                              esdtimfxxlnmfs90x10001280
                                                                                                                                              etbieozyt100x10001290
                                                                                                                                              hkzzsvhejwyq110x10001390
                                                                                                                                              hmbsngzsvchwukon120x100013a0
                                                                                                                                              hxlaiiu130x10001300
                                                                                                                                              jqixmuxnbhtctasjq140x10001350
                                                                                                                                              jrkfsywgmnnf150x10001330
                                                                                                                                              kaytbfl160x10001380
                                                                                                                                              kdrtaqrgksymmwfa170x10001250
                                                                                                                                              lxyvbkrs180x100013c0
                                                                                                                                              mcciqvdkr190x100012c0
                                                                                                                                              nlkxsuvlirsnbibs200x100012f0
                                                                                                                                              nvpjwtm210x10001310
                                                                                                                                              qvwsndh220x100012b0
                                                                                                                                              skadootwpkucfzyhc230x100013d0
                                                                                                                                              spzoepcgjgfcwyvbv240x10001340
                                                                                                                                              tctmhmvyu250x10001270
                                                                                                                                              tulscoow260x10001320
                                                                                                                                              vwubdvrb270x100012d0
                                                                                                                                              wwjwzhmvamgokpco280x10001400
                                                                                                                                              xkxzfhlcypx290x100013e0
                                                                                                                                              ymbvkolu300x100013f0
                                                                                                                                              ysalxcm310x10001370
                                                                                                                                              yunkbwpwoaao320x10001240
                                                                                                                                              zcnrxdgkldemutk330x10001230

                                                                                                                                              Version Infos

                                                                                                                                              DescriptionData
                                                                                                                                              InternalNameOnqeyxlcnp.dll
                                                                                                                                              FileVersion7.2.3.7
                                                                                                                                              ProductNameOnqeyxlcnp
                                                                                                                                              ProductVersion7.2.3.7
                                                                                                                                              FileDescriptionasdzxcqwe123
                                                                                                                                              OriginalFilenameOnqeyxlcnp.dll
                                                                                                                                              Translation0x0408 0x04e4

                                                                                                                                              Possible Origin

                                                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                                                              EnglishUnited States

                                                                                                                                              Network Behavior

                                                                                                                                              No network behavior found

                                                                                                                                              Code Manipulations

                                                                                                                                              Statistics

                                                                                                                                              Behavior

                                                                                                                                              Click to jump to process

                                                                                                                                              System Behavior

                                                                                                                                              General

                                                                                                                                              Start time:05:11:59
                                                                                                                                              Start date:25/11/2021
                                                                                                                                              Path:C:\Windows\System32\loaddll32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:loaddll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll"
                                                                                                                                              Imagebase:0xdb0000
                                                                                                                                              File size:893440 bytes
                                                                                                                                              MD5 hash:72FCD8FB0ADC38ED9050569AD673650E
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.1000235837.000000000099C000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Start time:05:12:00
                                                                                                                                              Start date:25/11/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",#1
                                                                                                                                              Imagebase:0x11d0000
                                                                                                                                              File size:232960 bytes
                                                                                                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Start time:05:12:00
                                                                                                                                              Start date:25/11/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:rundll32.exe C:\Users\user\Desktop\tUJXpPwU27.dll,Control_RunDLL
                                                                                                                                              Imagebase:0xb70000
                                                                                                                                              File size:61952 bytes
                                                                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.997848622.0000000002E95000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Start time:05:12:00
                                                                                                                                              Start date:25/11/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",#1
                                                                                                                                              Imagebase:0xb70000
                                                                                                                                              File size:61952 bytes
                                                                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.977580541.0000000002CEA000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Start time:05:12:04
                                                                                                                                              Start date:25/11/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:rundll32.exe C:\Users\user\Desktop\tUJXpPwU27.dll,aocchppr
                                                                                                                                              Imagebase:0xb70000
                                                                                                                                              File size:61952 bytes
                                                                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.997168710.00000000006AA000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Start time:05:12:09
                                                                                                                                              Start date:25/11/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:rundll32.exe C:\Users\user\Desktop\tUJXpPwU27.dll,atibsyaucowikobny
                                                                                                                                              Imagebase:0xb70000
                                                                                                                                              File size:61952 bytes
                                                                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.998474628.000000000089A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Start time:05:14:32
                                                                                                                                              Start date:25/11/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL
                                                                                                                                              Imagebase:0xb70000
                                                                                                                                              File size:61952 bytes
                                                                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Start time:05:14:34
                                                                                                                                              Start date:25/11/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cilqlpbnkp\gwjznuxweg.czu",ligDrVSARhbsLaD
                                                                                                                                              Imagebase:0xb70000
                                                                                                                                              File size:61952 bytes
                                                                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1134773374.0000000000A6A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Start time:05:14:39
                                                                                                                                              Start date:25/11/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL
                                                                                                                                              Imagebase:0xb70000
                                                                                                                                              File size:61952 bytes
                                                                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Start time:05:14:42
                                                                                                                                              Start date:25/11/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL
                                                                                                                                              Imagebase:0xb70000
                                                                                                                                              File size:61952 bytes
                                                                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Start time:05:14:43
                                                                                                                                              Start date:25/11/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL
                                                                                                                                              Imagebase:0xb70000
                                                                                                                                              File size:61952 bytes
                                                                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Start time:05:15:05
                                                                                                                                              Start date:25/11/2021
                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                              Imagebase:0x7ff6eb840000
                                                                                                                                              File size:51288 bytes
                                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Start time:05:15:37
                                                                                                                                              Start date:25/11/2021
                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                              Imagebase:0x7ff6eb840000
                                                                                                                                              File size:51288 bytes
                                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                              General

                                                                                                                                              Start time:05:15:46
                                                                                                                                              Start date:25/11/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Cilqlpbnkp\gwjznuxweg.czu",Control_RunDLL
                                                                                                                                              Imagebase:0xb70000
                                                                                                                                              File size:61952 bytes
                                                                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                              General

                                                                                                                                              Start time:05:15:56
                                                                                                                                              Start date:25/11/2021
                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                              Imagebase:0x7ff6eb840000
                                                                                                                                              File size:51288 bytes
                                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                              Disassembly

                                                                                                                                              Code Analysis

                                                                                                                                              Reset < >