Windows Analysis Report snBYiBAMB2

Overview

General Information

Sample Name: snBYiBAMB2 (renamed file extension from none to dll)
Analysis ID: 532249
MD5: 4bd80b1d18138b1808925ddb69991001
SHA1: 2a78af27a95639c1095e4f8a411a8efb9c861abc
SHA256: 32f1f59b8c52019d2a946ddff1996e13fbadac1ed518278a281267f440ea3ea4
Tags: 32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Emotet
Sigma detected: Emotet RunDLL32 Process Creation
Changes security center settings (notifications, updates, antivirus, firewall)
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Connects to several IPs in different countries
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 1.2.loaddll32.exe.f0e3f0.1.raw.unpack Malware Configuration Extractor: Emotet {"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}
Multi AV Scanner detection for submitted file
Source: snBYiBAMB2.dll Virustotal: Detection: 24% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: snBYiBAMB2.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: snBYiBAMB2.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA2BA20 FindFirstFileExW, 1_2_6EA2BA20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA2BA20 FindFirstFileExW, 4_2_6EA2BA20

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 46.55.222.11:443
Source: Malware configuration extractor IPs: 104.245.52.73:8080
Source: Malware configuration extractor IPs: 41.76.108.46:8080
Source: Malware configuration extractor IPs: 103.8.26.103:8080
Source: Malware configuration extractor IPs: 185.184.25.237:8080
Source: Malware configuration extractor IPs: 103.8.26.102:8080
Source: Malware configuration extractor IPs: 203.114.109.124:443
Source: Malware configuration extractor IPs: 45.118.115.99:8080
Source: Malware configuration extractor IPs: 178.79.147.66:8080
Source: Malware configuration extractor IPs: 58.227.42.236:80
Source: Malware configuration extractor IPs: 45.118.135.203:7080
Source: Malware configuration extractor IPs: 103.75.201.2:443
Source: Malware configuration extractor IPs: 195.154.133.20:443
Source: Malware configuration extractor IPs: 45.142.114.231:8080
Source: Malware configuration extractor IPs: 212.237.5.209:443
Source: Malware configuration extractor IPs: 207.38.84.195:8080
Source: Malware configuration extractor IPs: 104.251.214.46:8080
Source: Malware configuration extractor IPs: 212.237.17.99:8080
Source: Malware configuration extractor IPs: 212.237.56.116:7080
Source: Malware configuration extractor IPs: 216.158.226.206:443
Source: Malware configuration extractor IPs: 110.232.117.186:8080
Source: Malware configuration extractor IPs: 158.69.222.101:443
Source: Malware configuration extractor IPs: 107.182.225.142:8080
Source: Malware configuration extractor IPs: 176.104.106.96:8080
Source: Malware configuration extractor IPs: 81.0.236.90:443
Source: Malware configuration extractor IPs: 50.116.54.215:443
Source: Malware configuration extractor IPs: 138.185.72.26:8080
Source: Malware configuration extractor IPs: 51.68.175.8:8080
Source: Malware configuration extractor IPs: 210.57.217.132:8080
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View ASN Name: ARUBA-ASNIT ARUBA-ASNIT
Source: Joe Sandbox View ASN Name: RACKCORP-APRackCorpAU RACKCORP-APRackCorpAU
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View IP Address: 212.237.17.99 212.237.17.99
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 18
Source: svchost.exe, 0000000A.00000002.439435350.000002A54E413000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000006.00000002.799830333.0000027046841000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000006.00000002.799830333.0000027046841000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000006.00000002.799830333.0000027046841000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.combled
Source: svchost.exe, 00000006.00000002.799830333.0000027046841000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000006.00000002.799830333.0000027046841000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000006.00000002.799830333.0000027046841000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000A.00000003.414059377.000002A54E45D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000002.454072150.000002A54E459000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000A.00000002.444157014.000002A54E429000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000002.454072150.000002A54E459000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000A.00000003.410874299.000002A54E468000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.459059998.000002A54E46A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000003.414087604.000002A54E445000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.449956261.000002A54E44C000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000A.00000002.454072150.000002A54E459000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000A.00000002.444157014.000002A54E429000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000A.00000003.412843267.000002A54E45F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.457686821.000002A54E460000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000A.00000002.444157014.000002A54E429000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000002.454072150.000002A54E459000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.448544315.000002A54E440000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000A.00000003.414059377.000002A54E45D000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000002.454072150.000002A54E459000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.444157014.000002A54E429000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000002.447740433.000002A54E43D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000A.00000002.448544315.000002A54E440000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000A.00000002.444157014.000002A54E429000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000A.00000002.447740433.000002A54E43D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000A.00000003.414087604.000002A54E445000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.449956261.000002A54E44C000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 7.2.rundll32.exe.ac4248.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2e041f0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2cb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.ac4248.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2f10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2cb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.f0e3f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.f0e3f0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.e90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4700000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2f10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2e041f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.753889449.0000000002DB5000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.622227585.0000000000E90000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.622259831.0000000000EFC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.582748176.0000000000675000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.754640431.0000000004700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.604540735.0000000000AAA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.585390946.0000000002F10000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.622753667.0000000002DEA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.604509096.0000000000990000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.585330942.0000000002E36000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.582699855.0000000000400000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.622693429.0000000002CB0000.00000040.00000010.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: snBYiBAMB2.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Gcdru\wqnupsxlnfqvhei.gop:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Gcdru\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA057C0 1_2_6EA057C0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA062C0 1_2_6EA062C0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA2AE28 1_2_6EA2AE28
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA31F65 1_2_6EA31F65
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA12C70 1_2_6EA12C70
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA1FD1F 1_2_6EA1FD1F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA21D50 1_2_6EA21D50
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA02B50 1_2_6EA02B50
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA358EF 1_2_6EA358EF
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA0E6B0 1_2_6EA0E6B0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA357CB 1_2_6EA357CB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA30569 1_2_6EA30569
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA09380 1_2_6EA09380
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA1C366 1_2_6EA1C366
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA340B7 1_2_6EA340B7
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA1C132 1_2_6EA1C132
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F306EF 4_2_02F306EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F1AEB9 4_2_02F1AEB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F256A9 4_2_02F256A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F1F699 4_2_02F1F699
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2604E 4_2_02F2604E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2BA18 4_2_02F2BA18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F291F7 4_2_02F291F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2E7DA 4_2_02F2E7DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F289DA 4_2_02F289DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2ED95 4_2_02F2ED95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F12B7C 4_2_02F12B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F1196D 4_2_02F1196D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F18D59 4_2_02F18D59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F23130 4_2_02F23130
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F18112 4_2_02F18112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F15314 4_2_02F15314
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F1BEF5 4_2_02F1BEF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F320F8 4_2_02F320F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F1E6FD 4_2_02F1E6FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F1A8E8 4_2_02F1A8E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F30AD3 4_2_02F30AD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F27EDD 4_2_02F27EDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F154C0 4_2_02F154C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2B0BA 4_2_02F2B0BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F23ABE 4_2_02F23ABE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F1F4A5 4_2_02F1F4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F204A4 4_2_02F204A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F168AD 4_2_02F168AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F1D899 4_2_02F1D899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F1C69B 4_2_02F1C69B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F13085 4_2_02F13085
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F31C71 4_2_02F31C71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2E478 4_2_02F2E478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F30C66 4_2_02F30C66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2645F 4_2_02F2645F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F20A37 4_2_02F20A37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F13E3B 4_2_02F13E3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2CC3F 4_2_02F2CC3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F20824 4_2_02F20824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F21C12 4_2_02F21C12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F32C16 4_2_02F32C16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F1F20D 4_2_02F1F20D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F11DF9 4_2_02F11DF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2D5FE 4_2_02F2D5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F16BFE 4_2_02F16BFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F335E3 4_2_02F335E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F1B7EC 4_2_02F1B7EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F1FBEF 4_2_02F1FBEF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F213DB 4_2_02F213DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F15DC3 4_2_02F15DC3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F139C3 4_2_02F139C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F12DC5 4_2_02F12DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F24DC5 4_2_02F24DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F20FC5 4_2_02F20FC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2BFA1 4_2_02F2BFA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F277A7 4_2_02F277A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F133A9 4_2_02F133A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F26B91 4_2_02F26B91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F31987 4_2_02F31987
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F1F984 4_2_02F1F984
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F17D87 4_2_02F17D87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F1938F 4_2_02F1938F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2C772 4_2_02F2C772
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F12575 4_2_02F12575
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F12176 4_2_02F12176
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F1597D 4_2_02F1597D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F25B7C 4_2_02F25B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2F561 4_2_02F2F561
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F32560 4_2_02F32560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F19565 4_2_02F19565
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F15166 4_2_02F15166
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F1DD66 4_2_02F1DD66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F1996C 4_2_02F1996C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F1635F 4_2_02F1635F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F14F42 4_2_02F14F42
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2C145 4_2_02F2C145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F3314A 4_2_02F3314A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F32D4F 4_2_02F32D4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F1E336 4_2_02F1E336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F17739 4_2_02F17739
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2473A 4_2_02F2473A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F16125 4_2_02F16125
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2CF2C 4_2_02F2CF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F1B12E 4_2_02F1B12E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F14716 4_2_02F14716
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F28518 4_2_02F28518
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F33306 4_2_02F33306
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2D10B 4_2_02F2D10B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F2710D 4_2_02F2710D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA057C0 4_2_6EA057C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA062C0 4_2_6EA062C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA1FEEA 4_2_6EA1FEEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA2AE28 4_2_6EA2AE28
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA31F65 4_2_6EA31F65
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA12C70 4_2_6EA12C70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA1FD1F 4_2_6EA1FD1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA21D50 4_2_6EA21D50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA02B50 4_2_6EA02B50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA358EF 4_2_6EA358EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA0E6B0 4_2_6EA0E6B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA357CB 4_2_6EA357CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA30569 4_2_6EA30569
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA09380 4_2_6EA09380
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA1C366 4_2_6EA1C366
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA340B7 4_2_6EA340B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA1C132 4_2_6EA1C132
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_004206EF 5_2_004206EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0041ED95 5_2_0041ED95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0041604E 5_2_0041604E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0041645F 5_2_0041645F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00420C66 5_2_00420C66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00421C71 5_2_00421C71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0041E478 5_2_0041E478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0040F20D 5_2_0040F20D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00411C12 5_2_00411C12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00422C16 5_2_00422C16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0041BA18 5_2_0041BA18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00410824 5_2_00410824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00410A37 5_2_00410A37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00403E3B 5_2_00403E3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0041CC3F 5_2_0041CC3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_004054C0 5_2_004054C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00420AD3 5_2_00420AD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00417EDD 5_2_00417EDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0040A8E8 5_2_0040A8E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0040BEF5 5_2_0040BEF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_004220F8 5_2_004220F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0040E6FD 5_2_0040E6FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00403085 5_2_00403085
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0040F699 5_2_0040F699
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0040D899 5_2_0040D899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0040C69B 5_2_0040C69B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_004104A4 5_2_004104A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0040F4A5 5_2_0040F4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_004156A9 5_2_004156A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_004068AD 5_2_004068AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0040AEB9 5_2_0040AEB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0041B0BA 5_2_0041B0BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00413ABE 5_2_00413ABE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00404F42 5_2_00404F42
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0041C145 5_2_0041C145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0042314A 5_2_0042314A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00422D4F 5_2_00422D4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00408D59 5_2_00408D59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0040635F 5_2_0040635F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0041F561 5_2_0041F561
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00422560 5_2_00422560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00409565 5_2_00409565
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00405166 5_2_00405166
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0040DD66 5_2_0040DD66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0040996C 5_2_0040996C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0040196D 5_2_0040196D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0041C772 5_2_0041C772
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00402575 5_2_00402575
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00402176 5_2_00402176
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00402B7C 5_2_00402B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00415B7C 5_2_00415B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0040597D 5_2_0040597D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00423306 5_2_00423306
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0041D10B 5_2_0041D10B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0041710D 5_2_0041710D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00408112 5_2_00408112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00405314 5_2_00405314
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00404716 5_2_00404716
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00418518 5_2_00418518
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00406125 5_2_00406125
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0041CF2C 5_2_0041CF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0040B12E 5_2_0040B12E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00413130 5_2_00413130
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0040E336 5_2_0040E336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00407739 5_2_00407739
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0041473A 5_2_0041473A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00405DC3 5_2_00405DC3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_004039C3 5_2_004039C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00414DC5 5_2_00414DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00410FC5 5_2_00410FC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00402DC5 5_2_00402DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_004113DB 5_2_004113DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0041E7DA 5_2_0041E7DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_004189DA 5_2_004189DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_004235E3 5_2_004235E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0040B7EC 5_2_0040B7EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0040FBEF 5_2_0040FBEF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_004191F7 5_2_004191F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00401DF9 5_2_00401DF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00406BFE 5_2_00406BFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0041D5FE 5_2_0041D5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0040F984 5_2_0040F984
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00421987 5_2_00421987
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00407D87 5_2_00407D87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0040938F 5_2_0040938F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0041BFA1 5_2_0041BFA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_004177A7 5_2_004177A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_004033A9 5_2_004033A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CD06EF 8_2_02CD06EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CCED95 8_2_02CCED95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CB54C0 8_2_02CB54C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CC7EDD 8_2_02CC7EDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CD0AD3 8_2_02CD0AD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CBA8E8 8_2_02CBA8E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CD20F8 8_2_02CD20F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CBE6FD 8_2_02CBE6FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CBBEF5 8_2_02CBBEF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CB3085 8_2_02CB3085
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CBC69B 8_2_02CBC69B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CBF699 8_2_02CBF699
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CBD899 8_2_02CBD899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CC56A9 8_2_02CC56A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CB68AD 8_2_02CB68AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CC04A4 8_2_02CC04A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CBF4A5 8_2_02CBF4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CC3ABE 8_2_02CC3ABE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CBAEB9 8_2_02CBAEB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CCB0BA 8_2_02CCB0BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CC604E 8_2_02CC604E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CC645F 8_2_02CC645F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CD0C66 8_2_02CD0C66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CCE478 8_2_02CCE478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CD1C71 8_2_02CD1C71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CBF20D 8_2_02CBF20D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CCBA18 8_2_02CCBA18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CD2C16 8_2_02CD2C16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CC1C12 8_2_02CC1C12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CC0824 8_2_02CC0824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CB3E3B 8_2_02CB3E3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CCCC3F 8_2_02CCCC3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CC0A37 8_2_02CC0A37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CB5DC3 8_2_02CB5DC3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CB39C3 8_2_02CB39C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CC4DC5 8_2_02CC4DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CC0FC5 8_2_02CC0FC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CB2DC5 8_2_02CB2DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CCE7DA 8_2_02CCE7DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CC89DA 8_2_02CC89DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CC13DB 8_2_02CC13DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CBFBEF 8_2_02CBFBEF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CBB7EC 8_2_02CBB7EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CD35E3 8_2_02CD35E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CB1DF9 8_2_02CB1DF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CCD5FE 8_2_02CCD5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CB6BFE 8_2_02CB6BFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CC91F7 8_2_02CC91F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CB938F 8_2_02CB938F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CD1987 8_2_02CD1987
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CB7D87 8_2_02CB7D87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CBF984 8_2_02CBF984
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CB33A9 8_2_02CB33A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CC77A7 8_2_02CC77A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CCBFA1 8_2_02CCBFA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CD2D4F 8_2_02CD2D4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CD314A 8_2_02CD314A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CB4F42 8_2_02CB4F42
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CCC145 8_2_02CCC145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CB8D59 8_2_02CB8D59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CB635F 8_2_02CB635F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CB196D 8_2_02CB196D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CB996C 8_2_02CB996C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CCF561 8_2_02CCF561
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CB5166 8_2_02CB5166
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CBDD66 8_2_02CBDD66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CD2560 8_2_02CD2560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CB9565 8_2_02CB9565
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CC5B7C 8_2_02CC5B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CB597D 8_2_02CB597D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CB2B7C 8_2_02CB2B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CB2176 8_2_02CB2176
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CCC772 8_2_02CCC772
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CB2575 8_2_02CB2575
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CC710D 8_2_02CC710D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CCD10B 8_2_02CCD10B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CD3306 8_2_02CD3306
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CC8518 8_2_02CC8518
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CB8112 8_2_02CB8112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CB4716 8_2_02CB4716
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CB5314 8_2_02CB5314
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CCCF2C 8_2_02CCCF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CBB12E 8_2_02CBB12E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CB6125 8_2_02CB6125
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CB7739 8_2_02CB7739
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CC473A 8_2_02CC473A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CC3130 8_2_02CC3130
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CBE336 8_2_02CBE336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_047206EF 15_2_047206EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0471ED95 15_2_0471ED95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04721C71 15_2_04721C71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0471E478 15_2_0471E478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04720C66 15_2_04720C66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0471645F 15_2_0471645F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0471604E 15_2_0471604E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04710A37 15_2_04710A37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04703E3B 15_2_04703E3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0471CC3F 15_2_0471CC3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04710824 15_2_04710824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04711C12 15_2_04711C12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04722C16 15_2_04722C16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0471BA18 15_2_0471BA18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0470F20D 15_2_0470F20D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0470BEF5 15_2_0470BEF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_047220F8 15_2_047220F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0470E6FD 15_2_0470E6FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0470A8E8 15_2_0470A8E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04720AD3 15_2_04720AD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04717EDD 15_2_04717EDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_047054C0 15_2_047054C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0470AEB9 15_2_0470AEB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0471B0BA 15_2_0471B0BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04713ABE 15_2_04713ABE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_047104A4 15_2_047104A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0470F4A5 15_2_0470F4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_047156A9 15_2_047156A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_047068AD 15_2_047068AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0470F699 15_2_0470F699
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0470D899 15_2_0470D899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0470C69B 15_2_0470C69B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04703085 15_2_04703085
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0471C772 15_2_0471C772
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04702575 15_2_04702575
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04702176 15_2_04702176
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04702B7C 15_2_04702B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04715B7C 15_2_04715B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0470597D 15_2_0470597D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0471F561 15_2_0471F561
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04722560 15_2_04722560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04709565 15_2_04709565
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04705166 15_2_04705166
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0470DD66 15_2_0470DD66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0470996C 15_2_0470996C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0470196D 15_2_0470196D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04708D59 15_2_04708D59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0470635F 15_2_0470635F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04704F42 15_2_04704F42
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0471C145 15_2_0471C145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0472314A 15_2_0472314A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04722D4F 15_2_04722D4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04713130 15_2_04713130
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0470E336 15_2_0470E336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04707739 15_2_04707739
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0471473A 15_2_0471473A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04706125 15_2_04706125
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0471CF2C 15_2_0471CF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0470B12E 15_2_0470B12E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04708112 15_2_04708112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04705314 15_2_04705314
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04704716 15_2_04704716
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04718518 15_2_04718518
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04723306 15_2_04723306
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0471D10B 15_2_0471D10B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0471710D 15_2_0471710D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_047191F7 15_2_047191F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04701DF9 15_2_04701DF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04706BFE 15_2_04706BFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0471D5FE 15_2_0471D5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_047235E3 15_2_047235E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0470B7EC 15_2_0470B7EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0470FBEF 15_2_0470FBEF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_047113DB 15_2_047113DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0471E7DA 15_2_0471E7DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_047189DA 15_2_047189DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04705DC3 15_2_04705DC3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_047039C3 15_2_047039C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04714DC5 15_2_04714DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04710FC5 15_2_04710FC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04702DC5 15_2_04702DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0471BFA1 15_2_0471BFA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_047177A7 15_2_047177A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_047033A9 15_2_047033A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0470F984 15_2_0470F984
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04721987 15_2_04721987
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04707D87 15_2_04707D87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0470938F 15_2_0470938F
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6EA14F90 appears 52 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6EA14F90 appears 52 times
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA01460 zwijaemkuj, 1_2_6EA01460
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA01460 zwijaemkuj, 4_2_6EA01460
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: snBYiBAMB2.dll Binary or memory string: OriginalFilenameCtqfbxsirs.dll6 vs snBYiBAMB2.dll
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: snBYiBAMB2.dll Virustotal: Detection: 24%
Source: snBYiBAMB2.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",#1
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,awrrqyparpkpycx
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,bcnxvrdkfysosxtof
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gcdru\wqnupsxlnfqvhei.gop",rRrsbNdtBW
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gcdru\wqnupsxlnfqvhei.gop",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,awrrqyparpkpycx Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,bcnxvrdkfysosxtof Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gcdru\wqnupsxlnfqvhei.gop",rRrsbNdtBW Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gcdru\wqnupsxlnfqvhei.gop",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal88.troj.evad.winDLL@35/2@0/29
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA0AF10 CoCreateInstance,OleRun, 1_2_6EA0AF10
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,Control_RunDLL
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4544:120:WilError_01
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA057C0 GetTickCount64,FindResourceA, 1_2_6EA057C0
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: snBYiBAMB2.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: snBYiBAMB2.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: snBYiBAMB2.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: snBYiBAMB2.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: snBYiBAMB2.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: snBYiBAMB2.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA14FE0 push ecx; ret 1_2_6EA14FF3
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA373E1 push ecx; ret 1_2_6EA373F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F1151C push ds; ret 4_2_02F11527
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F1150F push ds; ret 4_2_02F11527
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA14FE0 push ecx; ret 4_2_6EA14FF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA0E240 push esi; ret 4_2_6EA0E242
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA373E1 push ecx; ret 4_2_6EA373F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0040150F push ds; ret 5_2_00401527
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0040151C push ds; ret 5_2_00401527
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CB150F push ds; ret 8_2_02CB1527
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CB151C push ds; ret 8_2_02CB1527
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0470151C push ds; ret 15_2_04701527
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_0470150F push ds; ret 15_2_04701527
PE file contains an invalid checksum
Source: snBYiBAMB2.dll Static PE information: real checksum: 0x80fdc should be: 0x7ce11

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Gcdru\wqnupsxlnfqvhei.gop Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Gcdru\wqnupsxlnfqvhei.gop:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006EA06300 second address: 000000006EA0633E instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+000000D8h], ecx 0x0000000a test edx, edx 0x0000000c jne 00007FCC48AEDA29h 0x0000000e mov edi, 05AF0528h 0x00000013 mov dword ptr [esp+10h], edi 0x00000017 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006EA06300 second address: 000000006EA0633E instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+000000D8h], ecx 0x0000000a test edx, edx 0x0000000c jne 00007FCC48AC4769h 0x0000000e mov edi, 05AF0528h 0x00000013 mov dword ptr [esp+10h], edi 0x00000017 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006EA07995 second address: 000000006EA079BD instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jne 00007FCC48AEDA1Eh 0x00000007 mov ebx, 0544B55Bh 0x0000000c rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006EA07995 second address: 000000006EA079BD instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jne 00007FCC48AC475Eh 0x00000007 mov ebx, 0544B55Bh 0x0000000c rdtscp
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 000000006EA06300 second address: 000000006EA0633E instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+000000D8h], ecx 0x0000000a test edx, edx 0x0000000c jne 00007FCC48AEDA29h 0x0000000e mov edi, 05AF0528h 0x00000013 mov dword ptr [esp+10h], edi 0x00000017 rdtscp
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 000000006EA07995 second address: 000000006EA079BD instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jne 00007FCC48AC475Eh 0x00000007 mov ebx, 0544B55Bh 0x0000000c rdtscp
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA062C0 rdtscp 1_2_6EA062C0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA2BA20 FindFirstFileExW, 1_2_6EA2BA20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA2BA20 FindFirstFileExW, 4_2_6EA2BA20
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000006.00000002.799830333.0000027046841000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.799410994.00000207A9429000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA14E67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6EA14E67
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA1744C GetProcessHeap,HeapFree, 1_2_6EA1744C
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA062C0 rdtscp 1_2_6EA062C0
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA062C0 mov eax, dword ptr fs:[00000030h] 1_2_6EA062C0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA062C0 mov eax, dword ptr fs:[00000030h] 1_2_6EA062C0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA24F94 mov eax, dword ptr fs:[00000030h] 1_2_6EA24F94
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA07A30 mov eax, dword ptr fs:[00000030h] 1_2_6EA07A30
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA2B715 mov eax, dword ptr fs:[00000030h] 1_2_6EA2B715
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA17334 mov esi, dword ptr fs:[00000030h] 1_2_6EA17334
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02F24315 mov eax, dword ptr fs:[00000030h] 4_2_02F24315
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA062C0 mov eax, dword ptr fs:[00000030h] 4_2_6EA062C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA062C0 mov eax, dword ptr fs:[00000030h] 4_2_6EA062C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA24F94 mov eax, dword ptr fs:[00000030h] 4_2_6EA24F94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA07A30 mov eax, dword ptr fs:[00000030h] 4_2_6EA07A30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA2B715 mov eax, dword ptr fs:[00000030h] 4_2_6EA2B715
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA17334 mov esi, dword ptr fs:[00000030h] 4_2_6EA17334
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00414315 mov eax, dword ptr fs:[00000030h] 5_2_00414315
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02CC4315 mov eax, dword ptr fs:[00000030h] 8_2_02CC4315
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_04714315 mov eax, dword ptr fs:[00000030h] 15_2_04714315
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA14E67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6EA14E67
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA1461A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_6EA1461A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA1D436 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6EA1D436
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA14E67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6EA14E67
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA1461A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_6EA1461A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EA1D436 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6EA1D436

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",#1 Jump to behavior
Source: rundll32.exe, 0000001D.00000002.798403758.0000000002C70000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: rundll32.exe, 0000001D.00000002.798403758.0000000002C70000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 0000001D.00000002.798403758.0000000002C70000.00000002.00020000.sdmp Binary or memory string: Progman
Source: rundll32.exe, 0000001D.00000002.798403758.0000000002C70000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 1_2_6EA34EAC
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 1_2_6EA2CE41
Source: C:\Windows\System32\loaddll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 1_2_6EA34F7F
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 1_2_6EA34C7C
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_6EA34DA4
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 1_2_6EA34A27
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 1_2_6EA348B6
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 1_2_6EA3480D
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 1_2_6EA2C982
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 1_2_6EA3499C
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 1_2_6EA34901
Source: C:\Windows\System32\loaddll32.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 1_2_6EA34610
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 4_2_6EA34EAC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 4_2_6EA2CE41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 4_2_6EA34F7F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 4_2_6EA34C7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 4_2_6EA34DA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 4_2_6EA34A27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6EA348B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 4_2_6EA3480D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6EA2C982
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6EA3499C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6EA34901
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 4_2_6EA34610
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA14C86 cpuid 1_2_6EA14C86
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6EA14FF7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_6EA14FF7

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 0000000C.00000002.799608607.000002126D43D000.00000004.00000001.sdmp Binary or memory string: (@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 0000000C.00000002.799352659.000002126D429000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.800023296.000002126D502000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 7.2.rundll32.exe.ac4248.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2e041f0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2cb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.ac4248.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2f10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2cb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.f0e3f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.f0e3f0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.e90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4700000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.4700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2f10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2e041f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.753889449.0000000002DB5000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.622227585.0000000000E90000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.622259831.0000000000EFC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.582748176.0000000000675000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.754640431.0000000004700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.604540735.0000000000AAA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.585390946.0000000002F10000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.622753667.0000000002DEA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.604509096.0000000000990000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.585330942.0000000002E36000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.582699855.0000000000400000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.622693429.0000000002CB0000.00000040.00000010.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 532249 Sample: snBYiBAMB2 Startdate: 01/12/2021 Architecture: WINDOWS Score: 88 43 210.57.217.132 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->43 45 203.114.109.124 TOT-LLI-AS-APTOTPublicCompanyLimitedTH Thailand 2->45 47 27 other IPs or domains 2->47 53 Sigma detected: Emotet RunDLL32 Process Creation 2->53 55 Found malware configuration 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 2 other signatures 2->59 9 loaddll32.exe 1 2->9         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        16 7 other processes 2->16 signatures3 process4 signatures5 61 Tries to detect virtualization through RDTSC time measurements 9->61 18 rundll32.exe 2 9->18         started        21 cmd.exe 1 9->21         started        23 rundll32.exe 9->23         started        27 2 other processes 9->27 63 Changes security center settings (notifications, updates, antivirus, firewall) 12->63 25 MpCmdRun.exe 1 12->25         started        process6 signatures7 49 Tries to detect virtualization through RDTSC time measurements 18->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->51 29 rundll32.exe 18->29         started        31 rundll32.exe 21->31         started        33 rundll32.exe 23->33         started        35 conhost.exe 25->35         started        37 rundll32.exe 27->37         started        process8 process9 39 rundll32.exe 29->39         started        41 rundll32.exe 31->41         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.154.133.20
 unknown France
12876 OnlineSASFR true
212.237.17.99
 unknown Italy
31034 ARUBA-ASNIT true
110.232.117.186
 unknown Australia
56038 RACKCORP-APRackCorpAU true
104.245.52.73
 unknown United States
63251 METRO-WIRELESSUS true
138.185.72.26
 unknown Brazil
264343 EmpasoftLtdaMeBR true
81.0.236.90
 unknown Czech Republic
15685 CASABLANCA-ASInternetCollocationProviderCZ true
45.118.115.99
 unknown Indonesia
131717 IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID true
103.75.201.2
 unknown Thailand
133496 CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH true
216.158.226.206
 unknown United States
19318 IS-AS-1US true
107.182.225.142
 unknown United States
32780 HOSTINGSERVICES-INCUS true
45.118.135.203
 unknown Japan 63949 LINODE-APLinodeLLCUS true
50.116.54.215
 unknown United States
63949 LINODE-APLinodeLLCUS true
51.68.175.8
 unknown France
16276 OVHFR true
103.8.26.102
 unknown Malaysia
132241 SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY true
46.55.222.11
 unknown Bulgaria
34841 BALCHIKNETBG true
41.76.108.46
 unknown South Africa
327979 DIAMATRIXZA true
103.8.26.103
 unknown Malaysia
132241 SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY true
178.79.147.66
 unknown United Kingdom
63949 LINODE-APLinodeLLCUS true
212.237.5.209
 unknown Italy
31034 ARUBA-ASNIT true
176.104.106.96
 unknown Serbia
198371 NINETRS true
207.38.84.195
 unknown United States
30083 AS-30083-GO-DADDY-COM-LLCUS true
212.237.56.116
 unknown Italy
31034 ARUBA-ASNIT true
45.142.114.231
 unknown Germany
44066 DE-FIRSTCOLOwwwfirst-colonetDE true
203.114.109.124
 unknown Thailand
131293 TOT-LLI-AS-APTOTPublicCompanyLimitedTH true
210.57.217.132
 unknown Indonesia
38142 UNAIR-AS-IDUniversitasAirlanggaID true
58.227.42.236
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
185.184.25.237
 unknown Turkey
209711 MUVHOSTTR true
158.69.222.101
 unknown Canada
16276 OVHFR true
104.251.214.46
 unknown United States
54540 INCERO-HVVCUS true