Windows Analysis Report 2gyA5uNl6VPQUA.dll

Overview

General Information

Sample Name: 2gyA5uNl6VPQUA.dll
Analysis ID: 532048
MD5: 5e20cb3466b66a9cdeac1ac74d9862e4
SHA1: 28ef4facb366de1fc7da62b975c8967997527c36
SHA256: 208939e34f46846c7c95383c6fea7813038b4dea87ea3819c157ccfbbf8aa09a
Tags: dll
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Connects to several IPs in different countries
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 1.0.loaddll32.exe.843b70.4.raw.unpack Malware Configuration Extractor: Emotet {"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"]}
Multi AV Scanner detection for submitted file
Source: 2gyA5uNl6VPQUA.dll Virustotal: Detection: 17% Perma Link
Source: 2gyA5uNl6VPQUA.dll ReversingLabs: Detection: 25%

Compliance:

barindex
Uses 32bit PE files
Source: 2gyA5uNl6VPQUA.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
Source: 2gyA5uNl6VPQUA.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EC02FE7 FindFirstFileExW, 1_2_6EC02FE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EC02FE7 FindFirstFileExW, 4_2_6EC02FE7

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 46.55.222.11:443
Source: Malware configuration extractor IPs: 104.245.52.73:8080
Source: Malware configuration extractor IPs: 41.76.108.46:8080
Source: Malware configuration extractor IPs: 103.8.26.103:8080
Source: Malware configuration extractor IPs: 185.184.25.237:8080
Source: Malware configuration extractor IPs: 103.8.26.102:8080
Source: Malware configuration extractor IPs: 203.114.109.124:443
Source: Malware configuration extractor IPs: 45.118.115.99:8080
Source: Malware configuration extractor IPs: 178.79.147.66:8080
Source: Malware configuration extractor IPs: 58.227.42.236:80
Source: Malware configuration extractor IPs: 45.118.135.203:7080
Source: Malware configuration extractor IPs: 103.75.201.2:443
Source: Malware configuration extractor IPs: 195.154.133.20:443
Source: Malware configuration extractor IPs: 45.142.114.231:8080
Source: Malware configuration extractor IPs: 212.237.5.209:443
Source: Malware configuration extractor IPs: 207.38.84.195:8080
Source: Malware configuration extractor IPs: 104.251.214.46:8080
Source: Malware configuration extractor IPs: 212.237.17.99:8080
Source: Malware configuration extractor IPs: 212.237.56.116:7080
Source: Malware configuration extractor IPs: 216.158.226.206:443
Source: Malware configuration extractor IPs: 110.232.117.186:8080
Source: Malware configuration extractor IPs: 158.69.222.101:443
Source: Malware configuration extractor IPs: 107.182.225.142:8080
Source: Malware configuration extractor IPs: 176.104.106.96:8080
Source: Malware configuration extractor IPs: 81.0.236.90:443
Source: Malware configuration extractor IPs: 50.116.54.215:443
Source: Malware configuration extractor IPs: 138.185.72.26:8080
Source: Malware configuration extractor IPs: 51.68.175.8:8080
Source: Malware configuration extractor IPs: 210.57.217.132:8080
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View ASN Name: ARUBA-ASNIT ARUBA-ASNIT
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View IP Address: 212.237.17.99 212.237.17.99
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 19
Source: svchost.exe, 00000002.00000002.368206307.000001B813E13000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.comsv
Source: svchost.exe, 00000002.00000003.311471823.000001B813E4F000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000002.00000003.313081383.000001B813E4B000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000002.00000003.311471823.000001B813E4F000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000002.00000002.377109092.000001B813E3E000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000002.00000002.384606635.000001B813E69000.00000004.00000001.sdmp, svchost.exe, 00000002.00000003.308758027.000001B813E66000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000002.00000003.311471823.000001B813E4F000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000002.00000003.333640085.000001B813E2F000.00000004.00000001.sdmp, svchost.exe, 00000002.00000003.330357133.000001B813E2E000.00000004.00000001.sdmp, svchost.exe, 00000002.00000003.318680681.000001B813E2C000.00000004.00000001.sdmp, svchost.exe, 00000002.00000002.374497241.000001B813E30000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000002.00000003.284289623.000001B813E30000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000002.00000003.284289623.000001B813E30000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000002.00000003.311471823.000001B813E4F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000002.00000002.377109092.000001B813E3E000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000002.00000003.311471823.000001B813E4F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000002.00000003.311471823.000001B813E4F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000002.00000003.311471823.000001B813E4F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000002.00000003.284289623.000001B813E30000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000002.00000002.378080839.000001B813E42000.00000004.00000001.sdmp, svchost.exe, 00000002.00000003.328155171.000001B813E41000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000002.00000003.284289623.000001B813E30000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Stops/
Source: svchost.exe, 00000002.00000002.378080839.000001B813E42000.00000004.00000001.sdmp, svchost.exe, 00000002.00000003.328155171.000001B813E41000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000002.00000003.311471823.000001B813E4F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000002.00000003.325032729.000001B813E46000.00000004.00000001.sdmp, svchost.exe, 00000002.00000002.378807783.000001B813E47000.00000004.00000001.sdmp, svchost.exe, 00000002.00000003.318680681.000001B813E2C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000002.00000003.284289623.000001B813E30000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
Source: svchost.exe, 00000002.00000003.313081383.000001B813E4B000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000002.00000003.325032729.000001B813E46000.00000004.00000001.sdmp, svchost.exe, 00000002.00000002.378807783.000001B813E47000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000002.00000003.325032729.000001B813E46000.00000004.00000001.sdmp, svchost.exe, 00000002.00000002.378807783.000001B813E47000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000002.00000002.374497241.000001B813E30000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000002.00000003.311471823.000001B813E4F000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000002.00000002.377109092.000001B813E3E000.00000004.00000001.sdmp, svchost.exe, 00000002.00000003.284289623.000001B813E30000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000002.00000003.284289623.000001B813E30000.00000004.00000001.sdmp, svchost.exe, 00000002.00000003.318680681.000001B813E2C000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000002.00000003.284289623.000001B813E30000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=
Source: svchost.exe, 00000002.00000002.377109092.000001B813E3E000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000002.00000002.377109092.000001B813E3E000.00000004.00000001.sdmp, svchost.exe, 00000002.00000002.368206307.000001B813E13000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000002.00000003.327373065.000001B813E45000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000002.00000003.327373065.000001B813E45000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000002.00000003.284289623.000001B813E30000.00000004.00000001.sdmp, svchost.exe, 00000002.00000003.318680681.000001B813E2C000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000002.00000003.333640085.000001B813E2F000.00000004.00000001.sdmp, svchost.exe, 00000002.00000003.284289623.000001B813E30000.00000004.00000001.sdmp, svchost.exe, 00000002.00000003.330357133.000001B813E2E000.00000004.00000001.sdmp, svchost.exe, 00000002.00000003.318680681.000001B813E2C000.00000004.00000001.sdmp, svchost.exe, 00000002.00000002.374497241.000001B813E30000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000002.00000002.368206307.000001B813E13000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 1.2.loaddll32.exe.843b70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.7c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.6a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.7c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2f20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.843b70.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.7c0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.843b70.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.30f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.843b70.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.7c0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.32a3690.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.7c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.492098.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2d92098.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2c30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.843b70.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2c30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.843b70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.7c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.32a3690.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2f20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.30f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.843b70.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.6a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2d92098.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.843b70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.492098.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.628861831.0000000002D7A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.662292442.00000000007C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.601509063.000000000083D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.602280537.000000000047A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.623586957.0000000002C30000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.602326812.00000000006A0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.718738083.00000000007C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.564390758.0000000003019000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.619081801.0000000002F20000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.602689535.00000000030F0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.610271162.00000000032A3000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.611809755.00000000007C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.611849506.000000000083D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.719186470.000000000083D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.670664388.000000000083D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.601464399.00000000007C0000.00000040.00000010.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: 2gyA5uNl6VPQUA.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
One or more processes crash
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 156 -p 5816 -ip 5816
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Cyyah\ysrainvzaakh.dkv:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Cyyah\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EBE5EA0 1_2_6EBE5EA0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EBEE6E0 1_2_6EBEE6E0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EBE66E0 1_2_6EBE66E0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EBEA6D0 1_2_6EBEA6D0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EBF0F10 1_2_6EBF0F10
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EBE1C10 1_2_6EBE1C10
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EBE75F4 1_2_6EBE75F4
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EBE9D50 1_2_6EBE9D50
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EC00A61 1_2_6EC00A61
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EBED380 1_2_6EBED380
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EBE38C0 1_2_6EBE38C0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EBF01D0 1_2_6EBF01D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F406EF 4_2_02F406EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2AEB9 4_2_02F2AEB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F356A9 4_2_02F356A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F3604E 4_2_02F3604E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F3BA18 4_2_02F3BA18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F391F7 4_2_02F391F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F3E7DA 4_2_02F3E7DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F389DA 4_2_02F389DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F3ED95 4_2_02F3ED95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F22B7C 4_2_02F22B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2196D 4_2_02F2196D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F28D59 4_2_02F28D59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F33130 4_2_02F33130
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F28112 4_2_02F28112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F25314 4_2_02F25314
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2BEF5 4_2_02F2BEF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F420F8 4_2_02F420F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2E6FD 4_2_02F2E6FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2A8E8 4_2_02F2A8E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F40AD3 4_2_02F40AD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F37EDD 4_2_02F37EDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F254C0 4_2_02F254C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F3B0BA 4_2_02F3B0BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F33ABE 4_2_02F33ABE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F304A4 4_2_02F304A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2F4A5 4_2_02F2F4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F268AD 4_2_02F268AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2C69B 4_2_02F2C69B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2F699 4_2_02F2F699
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2D899 4_2_02F2D899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F23085 4_2_02F23085
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F41C71 4_2_02F41C71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F3E478 4_2_02F3E478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F40C66 4_2_02F40C66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F3645F 4_2_02F3645F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F30A37 4_2_02F30A37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F23E3B 4_2_02F23E3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F3CC3F 4_2_02F3CC3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F30824 4_2_02F30824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F31C12 4_2_02F31C12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F42C16 4_2_02F42C16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2F20D 4_2_02F2F20D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F21DF9 4_2_02F21DF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F26BFE 4_2_02F26BFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F3D5FE 4_2_02F3D5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F435E3 4_2_02F435E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2FBEF 4_2_02F2FBEF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2B7EC 4_2_02F2B7EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F313DB 4_2_02F313DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F25DC3 4_2_02F25DC3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F239C3 4_2_02F239C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F34DC5 4_2_02F34DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F30FC5 4_2_02F30FC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F22DC5 4_2_02F22DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F3BFA1 4_2_02F3BFA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F377A7 4_2_02F377A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F233A9 4_2_02F233A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F36B91 4_2_02F36B91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F41987 4_2_02F41987
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F27D87 4_2_02F27D87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2F984 4_2_02F2F984
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2938F 4_2_02F2938F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F3C772 4_2_02F3C772
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F22176 4_2_02F22176
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F22575 4_2_02F22575
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F35B7C 4_2_02F35B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2597D 4_2_02F2597D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F3F561 4_2_02F3F561
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F25166 4_2_02F25166
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2DD66 4_2_02F2DD66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F42560 4_2_02F42560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F29565 4_2_02F29565
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2996C 4_2_02F2996C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2635F 4_2_02F2635F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F24F42 4_2_02F24F42
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F3C145 4_2_02F3C145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F42D4F 4_2_02F42D4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F4314A 4_2_02F4314A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2E336 4_2_02F2E336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F3473A 4_2_02F3473A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F27739 4_2_02F27739
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F26125 4_2_02F26125
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2B12E 4_2_02F2B12E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F3CF2C 4_2_02F3CF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F24716 4_2_02F24716
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F38518 4_2_02F38518
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F43306 4_2_02F43306
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F3D10B 4_2_02F3D10B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F3710D 4_2_02F3710D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EBE5EA0 4_2_6EBE5EA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EBEE6E0 4_2_6EBEE6E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EBE66E0 4_2_6EBE66E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EBEA6D0 4_2_6EBEA6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EBF0F10 4_2_6EBF0F10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EBE1C10 4_2_6EBE1C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EBE75F4 4_2_6EBE75F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EBE9D50 4_2_6EBE9D50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EC00A61 4_2_6EC00A61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EBED380 4_2_6EBED380
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EBE38C0 4_2_6EBE38C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EBF01D0 4_2_6EBF01D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C506EF 8_2_02C506EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C4ED95 8_2_02C4ED95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C354C0 8_2_02C354C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C50AD3 8_2_02C50AD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C47EDD 8_2_02C47EDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C3A8E8 8_2_02C3A8E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C3BEF5 8_2_02C3BEF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C520F8 8_2_02C520F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C3E6FD 8_2_02C3E6FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C33085 8_2_02C33085
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C3C69B 8_2_02C3C69B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C3F699 8_2_02C3F699
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C3D899 8_2_02C3D899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C404A4 8_2_02C404A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C3F4A5 8_2_02C3F4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C456A9 8_2_02C456A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C368AD 8_2_02C368AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C43ABE 8_2_02C43ABE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C3AEB9 8_2_02C3AEB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C4B0BA 8_2_02C4B0BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C4604E 8_2_02C4604E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C4645F 8_2_02C4645F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C50C66 8_2_02C50C66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C51C71 8_2_02C51C71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C4E478 8_2_02C4E478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C3F20D 8_2_02C3F20D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C52C16 8_2_02C52C16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C41C12 8_2_02C41C12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C4BA18 8_2_02C4BA18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C40824 8_2_02C40824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C40A37 8_2_02C40A37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C33E3B 8_2_02C33E3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C4CC3F 8_2_02C4CC3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C35DC3 8_2_02C35DC3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C339C3 8_2_02C339C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C44DC5 8_2_02C44DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C40FC5 8_2_02C40FC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C32DC5 8_2_02C32DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C4E7DA 8_2_02C4E7DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C489DA 8_2_02C489DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C413DB 8_2_02C413DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C535E3 8_2_02C535E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C3FBEF 8_2_02C3FBEF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C3B7EC 8_2_02C3B7EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C491F7 8_2_02C491F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C31DF9 8_2_02C31DF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C4D5FE 8_2_02C4D5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C36BFE 8_2_02C36BFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C51987 8_2_02C51987
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C37D87 8_2_02C37D87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C3F984 8_2_02C3F984
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C3938F 8_2_02C3938F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C477A7 8_2_02C477A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C4BFA1 8_2_02C4BFA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C333A9 8_2_02C333A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C34F42 8_2_02C34F42
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C4C145 8_2_02C4C145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C52D4F 8_2_02C52D4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C5314A 8_2_02C5314A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C38D59 8_2_02C38D59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C3635F 8_2_02C3635F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C4F561 8_2_02C4F561
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C35166 8_2_02C35166
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C3DD66 8_2_02C3DD66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C52560 8_2_02C52560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C39565 8_2_02C39565
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C3196D 8_2_02C3196D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C3996C 8_2_02C3996C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C32176 8_2_02C32176
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C4C772 8_2_02C4C772
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C32575 8_2_02C32575
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C45B7C 8_2_02C45B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C3597D 8_2_02C3597D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C32B7C 8_2_02C32B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C53306 8_2_02C53306
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C4710D 8_2_02C4710D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C4D10B 8_2_02C4D10B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C38112 8_2_02C38112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C34716 8_2_02C34716
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C35314 8_2_02C35314
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C48518 8_2_02C48518
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C36125 8_2_02C36125
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C4CF2C 8_2_02C4CF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C3B12E 8_2_02C3B12E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C43130 8_2_02C43130
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C3E336 8_2_02C3E336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C37739 8_2_02C37739
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C4473A 8_2_02C4473A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006C06EF 9_2_006C06EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006BED95 9_2_006BED95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006C0C66 9_2_006C0C66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006BE478 9_2_006BE478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006C1C71 9_2_006C1C71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006B604E 9_2_006B604E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006B645F 9_2_006B645F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006B0824 9_2_006B0824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A3E3B 9_2_006A3E3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006BCC3F 9_2_006BCC3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006B0A37 9_2_006B0A37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006AF20D 9_2_006AF20D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006BBA18 9_2_006BBA18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006B1C12 9_2_006B1C12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006C2C16 9_2_006C2C16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006AA8E8 9_2_006AA8E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006C20F8 9_2_006C20F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006AE6FD 9_2_006AE6FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006ABEF5 9_2_006ABEF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A54C0 9_2_006A54C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006B7EDD 9_2_006B7EDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006C0AD3 9_2_006C0AD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006B56A9 9_2_006B56A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A68AD 9_2_006A68AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006B04A4 9_2_006B04A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006AF4A5 9_2_006AF4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006BB0BA 9_2_006BB0BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006AAEB9 9_2_006AAEB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006B3ABE 9_2_006B3ABE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A3085 9_2_006A3085
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006AC69B 9_2_006AC69B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006AF699 9_2_006AF699
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006AD899 9_2_006AD899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A996C 9_2_006A996C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A196D 9_2_006A196D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006BF561 9_2_006BF561
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A5166 9_2_006A5166
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006ADD66 9_2_006ADD66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006C2560 9_2_006C2560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A9565 9_2_006A9565
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A2B7C 9_2_006A2B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006B5B7C 9_2_006B5B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A597D 9_2_006A597D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006BC772 9_2_006BC772
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A2176 9_2_006A2176
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A2575 9_2_006A2575
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006C2D4F 9_2_006C2D4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006C314A 9_2_006C314A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A4F42 9_2_006A4F42
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006BC145 9_2_006BC145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A8D59 9_2_006A8D59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A635F 9_2_006A635F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006AB12E 9_2_006AB12E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006BCF2C 9_2_006BCF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A6125 9_2_006A6125
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006B473A 9_2_006B473A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A7739 9_2_006A7739
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006B3130 9_2_006B3130
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006AE336 9_2_006AE336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006BD10B 9_2_006BD10B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006B710D 9_2_006B710D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006C3306 9_2_006C3306
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006B8518 9_2_006B8518
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A8112 9_2_006A8112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A4716 9_2_006A4716
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A5314 9_2_006A5314
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006AFBEF 9_2_006AFBEF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006AB7EC 9_2_006AB7EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006C35E3 9_2_006C35E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A1DF9 9_2_006A1DF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A6BFE 9_2_006A6BFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006BD5FE 9_2_006BD5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006B91F7 9_2_006B91F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A5DC3 9_2_006A5DC3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A39C3 9_2_006A39C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006B4DC5 9_2_006B4DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006B0FC5 9_2_006B0FC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A2DC5 9_2_006A2DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006B13DB 9_2_006B13DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006BE7DA 9_2_006BE7DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006B89DA 9_2_006B89DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A33A9 9_2_006A33A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006BBFA1 9_2_006BBFA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006B77A7 9_2_006B77A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A938F 9_2_006A938F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006C1987 9_2_006C1987
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A7D87 9_2_006A7D87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006AF984 9_2_006AF984
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6EBE1C10 appears 97 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6EBFD350 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6EBE1C10 appears 97 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6EBFD350 appears 33 times
Source: 2gyA5uNl6VPQUA.dll Virustotal: Detection: 17%
Source: 2gyA5uNl6VPQUA.dll ReversingLabs: Detection: 25%
Source: 2gyA5uNl6VPQUA.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\svchost.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization Jump to behavior
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll",#1
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll,axamexdrqyrgb
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll,bhramccfbdd
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cyyah\ysrainvzaakh.dkv",pczodXjTBX
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 156 -p 5816 -ip 5816
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5816 -ip 5816
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll,axamexdrqyrgb Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll,bhramccfbdd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cyyah\ysrainvzaakh.dkv",pczodXjTBX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 156 -p 5816 -ip 5816 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5816 -ip 5816 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Jump to behavior
Source: classification engine Classification label: mal76.troj.evad.winDLL@35/8@0/30
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:3376:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:5796:64:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5752:120:WilError_01
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: 2gyA5uNl6VPQUA.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: 2gyA5uNl6VPQUA.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EC09153 push ecx; ret 1_2_6EC09166
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2151C push ds; ret 4_2_02F21527
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2150F push ds; ret 4_2_02F21527
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EC09153 push ecx; ret 4_2_6EC09166
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C3150F push ds; ret 8_2_02C31527
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C3151C push ds; ret 8_2_02C31527
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A150F push ds; ret 9_2_006A1527
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006A151C push ds; ret 9_2_006A1527
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EBEE4E0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex, 1_2_6EBEE4E0

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Cyyah\ysrainvzaakh.dkv Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Cyyah\ysrainvzaakh.dkv:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\svchost.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EC02FE7 FindFirstFileExW, 1_2_6EC02FE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EC02FE7 FindFirstFileExW, 4_2_6EC02FE7
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000000.00000002.717607985.000001E3F0829000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EC029E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6EC029E6
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EBEE4E0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex, 1_2_6EBEE4E0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EBE1290 GetProcessHeap,HeapAlloc,HeapFree, 1_2_6EBE1290
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EBFC050 mov eax, dword ptr fs:[00000030h] 1_2_6EBFC050
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EBFBFE0 mov esi, dword ptr fs:[00000030h] 1_2_6EBFBFE0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EBFBFE0 mov eax, dword ptr fs:[00000030h] 1_2_6EBFBFE0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EC012CB mov ecx, dword ptr fs:[00000030h] 1_2_6EC012CB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EC0298C mov eax, dword ptr fs:[00000030h] 1_2_6EC0298C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F34315 mov eax, dword ptr fs:[00000030h] 4_2_02F34315
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EBFC050 mov eax, dword ptr fs:[00000030h] 4_2_6EBFC050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EBFBFE0 mov esi, dword ptr fs:[00000030h] 4_2_6EBFBFE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EBFBFE0 mov eax, dword ptr fs:[00000030h] 4_2_6EBFBFE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EC012CB mov ecx, dword ptr fs:[00000030h] 4_2_6EC012CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EC0298C mov eax, dword ptr fs:[00000030h] 4_2_6EC0298C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02C44315 mov eax, dword ptr fs:[00000030h] 8_2_02C44315
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_006B4315 mov eax, dword ptr fs:[00000030h] 9_2_006B4315
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EBFCB22 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_6EBFCB22
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EC029E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6EC029E6
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EBFD1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6EBFD1CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EBFCB22 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_6EBFCB22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EC029E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6EC029E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EBFD1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6EBFD1CC

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll",#1 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 156 -p 5816 -ip 5816 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5816 -ip 5816 Jump to behavior
Source: loaddll32.exe, 00000001.00000000.678637446.00000000011B0000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.601565408.00000000011B0000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.611901245.00000000011B0000.00000002.00020000.sdmp, svchost.exe, 00000007.00000002.719032466.0000023832B90000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.719324096.0000000003380000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000001.00000000.678637446.00000000011B0000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.601565408.00000000011B0000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.611901245.00000000011B0000.00000002.00020000.sdmp, svchost.exe, 00000007.00000002.719032466.0000023832B90000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.719324096.0000000003380000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000000.678637446.00000000011B0000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.601565408.00000000011B0000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.611901245.00000000011B0000.00000002.00020000.sdmp, svchost.exe, 00000007.00000002.719032466.0000023832B90000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.719324096.0000000003380000.00000002.00020000.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000000.678637446.00000000011B0000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.601565408.00000000011B0000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.611901245.00000000011B0000.00000002.00020000.sdmp, svchost.exe, 00000007.00000002.719032466.0000023832B90000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.719324096.0000000003380000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EBFCC44 cpuid 1_2_6EBFCC44
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EBFCE15 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_6EBFCE15

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 0000000A.00000002.717656426.000001BCDCC40000.00000004.00000001.sdmp Binary or memory string: @V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000A.00000002.717871683.000001BCDCD02000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 1.2.loaddll32.exe.843b70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.7c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.6a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.7c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2f20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.843b70.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.7c0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.843b70.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.30f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.843b70.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.7c0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.32a3690.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.7c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.492098.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2d92098.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2c30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.843b70.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2c30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.843b70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.7c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.32a3690.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2f20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.30f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.843b70.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.6a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2d92098.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.loaddll32.exe.843b70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.492098.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.628861831.0000000002D7A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.662292442.00000000007C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.601509063.000000000083D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.602280537.000000000047A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.623586957.0000000002C30000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.602326812.00000000006A0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.718738083.00000000007C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.564390758.0000000003019000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.619081801.0000000002F20000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.602689535.00000000030F0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.610271162.00000000032A3000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.611809755.00000000007C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.611849506.000000000083D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.719186470.000000000083D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.670664388.000000000083D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.601464399.00000000007C0000.00000040.00000010.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 532048 Sample: 2gyA5uNl6VPQUA.dll Startdate: 01/12/2021 Architecture: WINDOWS Score: 76 48 210.57.217.132 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->48 50 203.114.109.124 TOT-LLI-AS-APTOTPublicCompanyLimitedTH Thailand 2->50 52 27 other IPs or domains 2->52 54 Found malware configuration 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 Yara detected Emotet 2->58 60 C2 URLs / IPs found in malware configuration 2->60 9 loaddll32.exe 1 2->9         started        11 svchost.exe 2->11         started        14 svchost.exe 2->14         started        16 4 other processes 2->16 signatures3 process4 dnsIp5 19 rundll32.exe 2 9->19         started        22 cmd.exe 1 9->22         started        24 rundll32.exe 9->24         started        26 rundll32.exe 9->26         started        64 Changes security center settings (notifications, updates, antivirus, firewall) 11->64 28 MpCmdRun.exe 1 11->28         started        30 WerFault.exe 14->30         started        32 WerFault.exe 14->32         started        46 192.168.2.1 unknown unknown 16->46 signatures6 process7 signatures8 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->62 34 rundll32.exe 19->34         started        36 rundll32.exe 22->36         started        38 rundll32.exe 24->38         started        40 rundll32.exe 26->40         started        42 conhost.exe 28->42         started        process9 process10 44 rundll32.exe 36->44         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.154.133.20
 unknown France
12876 OnlineSASFR true
212.237.17.99
 unknown Italy
31034 ARUBA-ASNIT true
110.232.117.186
 unknown Australia
56038 RACKCORP-APRackCorpAU true
104.245.52.73
 unknown United States
63251 METRO-WIRELESSUS true
138.185.72.26
 unknown Brazil
264343 EmpasoftLtdaMeBR true
81.0.236.90
 unknown Czech Republic
15685 CASABLANCA-ASInternetCollocationProviderCZ true
45.118.115.99
 unknown Indonesia
131717 IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID true
103.75.201.2
 unknown Thailand
133496 CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH true
216.158.226.206
 unknown United States
19318 IS-AS-1US true
107.182.225.142
 unknown United States
32780 HOSTINGSERVICES-INCUS true
45.118.135.203
 unknown Japan 63949 LINODE-APLinodeLLCUS true
50.116.54.215
 unknown United States
63949 LINODE-APLinodeLLCUS true
51.68.175.8
 unknown France
16276 OVHFR true
103.8.26.102
 unknown Malaysia
132241 SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY true
46.55.222.11
 unknown Bulgaria
34841 BALCHIKNETBG true
41.76.108.46
 unknown South Africa
327979 DIAMATRIXZA true
103.8.26.103
 unknown Malaysia
132241 SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY true
178.79.147.66
 unknown United Kingdom
63949 LINODE-APLinodeLLCUS true
212.237.5.209
 unknown Italy
31034 ARUBA-ASNIT true
176.104.106.96
 unknown Serbia
198371 NINETRS true
207.38.84.195
 unknown United States
30083 AS-30083-GO-DADDY-COM-LLCUS true
212.237.56.116
 unknown Italy
31034 ARUBA-ASNIT true
45.142.114.231
 unknown Germany
44066 DE-FIRSTCOLOwwwfirst-colonetDE true
203.114.109.124
 unknown Thailand
131293 TOT-LLI-AS-APTOTPublicCompanyLimitedTH true
210.57.217.132
 unknown Indonesia
38142 UNAIR-AS-IDUniversitasAirlanggaID true
58.227.42.236
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
185.184.25.237
 unknown Turkey
209711 MUVHOSTTR true
158.69.222.101
 unknown Canada
16276 OVHFR true
104.251.214.46
 unknown United States
54540 INCERO-HVVCUS true

Private
IP
192.168.2.1