Windows Analysis Report efELSMI5R4.dll

Overview

General Information

Sample Name: efELSMI5R4.dll
Analysis ID: 532312
MD5: 1ec5996508211a8d174a1a09d6289463
SHA1: ede146abf146c0dfdb88431dfecf5cc80b267335
SHA256: 2933137a5e251f44b2e6d2cc919c8a679651a76b900b3b9e2b06edc73b64e5e6
Tags: 32dllexetrojan
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Emotet
Multi AV Scanner detection for submitted file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Changes security center settings (notifications, updates, antivirus, firewall)
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
Deletes files inside the Windows folder
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Drops PE files to the windows directory (C:\Windows)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Checks if the current process is being debugged
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: efELSMI5R4.dll Virustotal: Detection: 19% Perma Link
Source: efELSMI5R4.dll ReversingLabs: Detection: 17%

Compliance:

barindex
Uses 32bit PE files
Source: efELSMI5R4.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
Source: efELSMI5R4.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: :KiUserCallbackDispatcherRSDSwntdll.pdb source: WerFault.exe, 00000016.00000002.684050713.00000000003A2000.00000004.00000001.sdmp
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA40927 FindFirstFileExW, 0_2_6EA40927
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA40927 FindFirstFileExW, 3_2_6EA40927
Source: WerFault.exe, 00000016.00000002.686615758.000000000474E000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WerFault.exe, 00000016.00000002.686615758.000000000474E000.00000004.00000001.sdmp String found in binary or memory: http://crl.m
Source: svchost.exe, 0000000C.00000002.540969399.00000179FEA13000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000C.00000003.537815045.00000179FEA63000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000C.00000003.537823223.00000179FEA4D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.540979190.00000179FEA29000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000002.540992990.00000179FEA44000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539711087.00000179FEA43000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539701661.00000179FEA42000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000003.537815045.00000179FEA63000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.540979190.00000179FEA29000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000002.540992990.00000179FEA44000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539711087.00000179FEA43000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539701661.00000179FEA42000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000C.00000003.537790536.00000179FEA69000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.541016012.00000179FEA6B000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000C.00000003.537815045.00000179FEA63000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000002.540979190.00000179FEA29000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000002.540992990.00000179FEA44000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539711087.00000179FEA43000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539701661.00000179FEA42000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000002.540979190.00000179FEA29000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000003.537815045.00000179FEA63000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000C.00000003.537815045.00000179FEA63000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000C.00000003.537815045.00000179FEA63000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000C.00000002.540979190.00000179FEA29000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000C.00000002.541008566.00000179FEA61000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.537819232.00000179FEA60000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000C.00000002.540979190.00000179FEA29000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000C.00000003.537815045.00000179FEA63000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000002.540996379.00000179FEA4A000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539684743.00000179FEA49000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539701661.00000179FEA42000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000C.00000003.537823223.00000179FEA4D000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000002.540996379.00000179FEA4A000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539684743.00000179FEA49000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000002.540996379.00000179FEA4A000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539684743.00000179FEA49000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000002.541002983.00000179FEA56000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000C.00000003.537815045.00000179FEA63000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.540979190.00000179FEA29000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000002.540992990.00000179FEA44000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539711087.00000179FEA43000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539701661.00000179FEA42000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000C.00000002.540989929.00000179FEA41000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.540979190.00000179FEA29000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000003.503882682.00000179FEA35000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000003.503882682.00000179FEA35000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000003.503882682.00000179FEA35000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000C.00000003.539715635.00000179FEA3E000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.503882682.00000179FEA35000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000C.00000003.537823223.00000179FEA4D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.539719943.00000179FEA50000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.541002983.00000179FEA56000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 0.0.loaddll32.exe.920000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.cd3b40.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.cd3b40.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.30a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.920000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.cd3b40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.920000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.32d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.3472148.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.cd3b40.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.920000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.cd3b40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.920000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.cd3b40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.920000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.920000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3460000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.920000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.cd3b40.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.cd3b40.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2fd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.3472148.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.6d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.32d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.30a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.cd3b40.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.31820a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.6a2160.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.cd3b40.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3460000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.920000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.6a2160.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2fd0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.31820a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.920000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.516956813.0000000000600000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.629962254.0000000000CCC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.545400007.0000000000CCC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.665545793.00000000008F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.497340032.00000000033D2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.620091364.0000000000920000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.685885620.0000000000920000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.535753712.0000000000920000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.564256085.00000000030A0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.518881595.00000000032D0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.518906170.000000000345A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.516978960.000000000068A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.667708514.0000000003460000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.605013673.0000000000CCC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.569478783.000000000316A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.666094116.0000000000920000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.666680634.0000000000CCC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.665849147.00000000034DA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.669521657.00000000006D0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.590946343.0000000000920000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.686580217.0000000000CCC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.518853652.0000000002FD0000.00000040.00000010.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: efELSMI5R4.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
One or more processes crash
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 7084 -ip 7084
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Luvyipkowrkroyzm\ogjmypdycx.tqu:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Luvyipkowrkroyzm\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00941291 0_2_00941291
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00930A93 0_2_00930A93
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0093CE90 0_2_0093CE90
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00930E97 0_2_00930E97
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0093A29B 0_2_0093A29B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0093009A 0_2_0093009A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0093E899 0_2_0093E899
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0092FE9D 0_2_0092FE9D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0092A083 0_2_0092A083
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0092F48A 0_2_0092F48A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_009352D1 0_2_009352D1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_009290D4 0_2_009290D4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_009328D5 0_2_009328D5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00941CDB 0_2_00941CDB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00922CC2 0_2_00922CC2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_009292C1 0_2_009292C1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_009420CE 0_2_009420CE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_009310CD 0_2_009310CD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_009284F0 0_2_009284F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_009362F5 0_2_009362F5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00934CF5 0_2_00934CF5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_009246FA 0_2_009246FA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00921EFB 0_2_00921EFB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_009340FE 0_2_009340FE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_009240E2 0_2_009240E2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0092C0EA 0_2_0092C0EA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_009356E9 0_2_009356E9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0094261E 0_2_0094261E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0093C205 0_2_0093C205
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0092800A 0_2_0092800A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00923432 0_2_00923432
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0092243F 0_2_0092243F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00929824 0_2_00929824
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00923228 0_2_00923228
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0093282D 0_2_0093282D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00926453 0_2_00926453
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0093EA55 0_2_0093EA55
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0092CE5A 0_2_0092CE5A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00933043 0_2_00933043
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0092AE43 0_2_0092AE43
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00937445 0_2_00937445
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0092AA4E 0_2_0092AA4E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0092544C 0_2_0092544C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0093B677 0_2_0093B677
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0092FA78 0_2_0092FA78
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0092387F 0_2_0092387F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0092EE60 0_2_0092EE60
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0092B464 0_2_0092B464
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00926869 0_2_00926869
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00923A6C 0_2_00923A6C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00931591 0_2_00931591
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0092B191 0_2_0092B191
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00927795 0_2_00927795
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00933782 0_2_00933782
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00928D80 0_2_00928D80
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00924B81 0_2_00924B81
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0093DB87 0_2_0093DB87
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0092358B 0_2_0092358B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0093E3B5 0_2_0093E3B5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_009385B8 0_2_009385B8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_009243BE 0_2_009243BE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_009259BF 0_2_009259BF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0093D7BE 0_2_0093D7BE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_009389A2 0_2_009389A2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0093E5A7 0_2_0093E5A7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0093DDA5 0_2_0093DDA5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00930BA4 0_2_00930BA4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_009275D2 0_2_009275D2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_009219C0 0_2_009219C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0092A3E7 0_2_0092A3E7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0093EDED 0_2_0093EDED
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_009251EC 0_2_009251EC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0092CB13 0_2_0092CB13
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00924D1E 0_2_00924D1E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0093970A 0_2_0093970A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0093E10A 0_2_0093E10A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0093590E 0_2_0093590E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00933D0C 0_2_00933D0C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0093BF0C 0_2_0093BF0C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0093CD35 0_2_0093CD35
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0092F73B 0_2_0092F73B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00939124 0_2_00939124
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0092A92F 0_2_0092A92F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00936540 0_2_00936540
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00940370 0_2_00940370
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0092BD61 0_2_0092BD61
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0092CF6E 0_2_0092CF6E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA277B4 0_2_6EA277B4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA29F10 0_2_6EA29F10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA21DE0 0_2_6EA21DE0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA2D530 0_2_6EA2D530
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA23A90 0_2_6EA23A90
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA3E3A1 0_2_6EA3E3A1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA30380 0_2_6EA30380
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA268B0 0_2_6EA268B0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA2A890 0_2_6EA2A890
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA2E890 0_2_6EA2E890
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA310C0 0_2_6EA310C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA26070 0_2_6EA26070
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032F1291 2_2_032F1291
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032DA92F 2_2_032DA92F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032E9124 2_2_032E9124
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032DF73B 2_2_032DF73B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032ECD35 2_2_032ECD35
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032E590E 2_2_032E590E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032E3D0C 2_2_032E3D0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032EBF0C 2_2_032EBF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032E970A 2_2_032E970A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032EE10A 2_2_032EE10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032D4D1E 2_2_032D4D1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032DCB13 2_2_032DCB13
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032DCF6E 2_2_032DCF6E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032DBD61 2_2_032DBD61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032F0370 2_2_032F0370
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032E6540 2_2_032E6540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032EE5A7 2_2_032EE5A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032E0BA4 2_2_032E0BA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032EDDA5 2_2_032EDDA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032E89A2 2_2_032E89A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032ED7BE 2_2_032ED7BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032D59BF 2_2_032D59BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032D43BE 2_2_032D43BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032E85B8 2_2_032E85B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032EE3B5 2_2_032EE3B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032D358B 2_2_032D358B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032EDB87 2_2_032EDB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032D4B81 2_2_032D4B81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032E3782 2_2_032E3782
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032D8D80 2_2_032D8D80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032D7795 2_2_032D7795
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032DB191 2_2_032DB191
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032E1591 2_2_032E1591
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032D51EC 2_2_032D51EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032EEDED 2_2_032EEDED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032DA3E7 2_2_032DA3E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032D19C0 2_2_032D19C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032D75D2 2_2_032D75D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032E282D 2_2_032E282D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032D3228 2_2_032D3228
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032D9824 2_2_032D9824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032D243F 2_2_032D243F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032D3432 2_2_032D3432
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032D800A 2_2_032D800A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032EC205 2_2_032EC205
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032F261E 2_2_032F261E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032D3A6C 2_2_032D3A6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032D6869 2_2_032D6869
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032DB464 2_2_032DB464
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032DEE60 2_2_032DEE60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032D387F 2_2_032D387F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032DFA78 2_2_032DFA78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032EB677 2_2_032EB677
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032D544C 2_2_032D544C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032DAA4E 2_2_032DAA4E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032E7445 2_2_032E7445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032E3043 2_2_032E3043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032DAE43 2_2_032DAE43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032DCE5A 2_2_032DCE5A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032EEA55 2_2_032EEA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032D6453 2_2_032D6453
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032DF48A 2_2_032DF48A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032DA083 2_2_032DA083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032DFE9D 2_2_032DFE9D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032E009A 2_2_032E009A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032EA29B 2_2_032EA29B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032EE899 2_2_032EE899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032E0E97 2_2_032E0E97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032E0A93 2_2_032E0A93
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032ECE90 2_2_032ECE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032DC0EA 2_2_032DC0EA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032E56E9 2_2_032E56E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032D40E2 2_2_032D40E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032E40FE 2_2_032E40FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032D1EFB 2_2_032D1EFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032D46FA 2_2_032D46FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032E62F5 2_2_032E62F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032E4CF5 2_2_032E4CF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032D84F0 2_2_032D84F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032F20CE 2_2_032F20CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032E10CD 2_2_032E10CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032D92C1 2_2_032D92C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032D2CC2 2_2_032D2CC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032F1CDB 2_2_032F1CDB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032D90D4 2_2_032D90D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032E28D5 2_2_032E28D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032E52D1 2_2_032E52D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA277B4 3_2_6EA277B4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA29F10 3_2_6EA29F10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA21DE0 3_2_6EA21DE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA2D530 3_2_6EA2D530
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA23A90 3_2_6EA23A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA3E3A1 3_2_6EA3E3A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA30380 3_2_6EA30380
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA268B0 3_2_6EA268B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA2A890 3_2_6EA2A890
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA2E890 3_2_6EA2E890
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA310C0 3_2_6EA310C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA26070 3_2_6EA26070
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FF1291 8_2_02FF1291
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FEEA55 8_2_02FEEA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FE40FE 8_2_02FE40FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FD1EFB 8_2_02FD1EFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FD46FA 8_2_02FD46FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FE62F5 8_2_02FE62F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FE4CF5 8_2_02FE4CF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FD84F0 8_2_02FD84F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FDC0EA 8_2_02FDC0EA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FE56E9 8_2_02FE56E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FD40E2 8_2_02FD40E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FF1CDB 8_2_02FF1CDB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FD90D4 8_2_02FD90D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FE28D5 8_2_02FE28D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FE52D1 8_2_02FE52D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FF20CE 8_2_02FF20CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FE10CD 8_2_02FE10CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FD92C1 8_2_02FD92C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FD2CC2 8_2_02FD2CC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FDFE9D 8_2_02FDFE9D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FE009A 8_2_02FE009A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FEA29B 8_2_02FEA29B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FEE899 8_2_02FEE899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FE0E97 8_2_02FE0E97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FE0A93 8_2_02FE0A93
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FECE90 8_2_02FECE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FDF48A 8_2_02FDF48A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FDA083 8_2_02FDA083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FD387F 8_2_02FD387F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FDFA78 8_2_02FDFA78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FEB677 8_2_02FEB677
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FD3A6C 8_2_02FD3A6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FD6869 8_2_02FD6869
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FDB464 8_2_02FDB464
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FDEE60 8_2_02FDEE60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FDCE5A 8_2_02FDCE5A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FD6453 8_2_02FD6453
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FD544C 8_2_02FD544C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FDAA4E 8_2_02FDAA4E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FE7445 8_2_02FE7445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FE3043 8_2_02FE3043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FDAE43 8_2_02FDAE43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FD243F 8_2_02FD243F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FD3432 8_2_02FD3432
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FE282D 8_2_02FE282D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FD3228 8_2_02FD3228
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FD9824 8_2_02FD9824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FF261E 8_2_02FF261E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FD800A 8_2_02FD800A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FEC205 8_2_02FEC205
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FD51EC 8_2_02FD51EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FEEDED 8_2_02FEEDED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FDA3E7 8_2_02FDA3E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FD75D2 8_2_02FD75D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FD19C0 8_2_02FD19C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FED7BE 8_2_02FED7BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FD59BF 8_2_02FD59BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FD43BE 8_2_02FD43BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FE85B8 8_2_02FE85B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FEE3B5 8_2_02FEE3B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FEE5A7 8_2_02FEE5A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FE0BA4 8_2_02FE0BA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FEDDA5 8_2_02FEDDA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FE89A2 8_2_02FE89A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FD7795 8_2_02FD7795
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FDB191 8_2_02FDB191
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FE1591 8_2_02FE1591
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FD358B 8_2_02FD358B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FEDB87 8_2_02FEDB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FD4B81 8_2_02FD4B81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FE3782 8_2_02FE3782
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FD8D80 8_2_02FD8D80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FF0370 8_2_02FF0370
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FDCF6E 8_2_02FDCF6E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FDBD61 8_2_02FDBD61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FE6540 8_2_02FE6540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FDF73B 8_2_02FDF73B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FECD35 8_2_02FECD35
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FDA92F 8_2_02FDA92F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FE9124 8_2_02FE9124
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FD4D1E 8_2_02FD4D1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FDCB13 8_2_02FDCB13
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FE590E 8_2_02FE590E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FE3D0C 8_2_02FE3D0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FEBF0C 8_2_02FEBF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FE970A 8_2_02FE970A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FEE10A 8_2_02FEE10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006DB464 13_2_006DB464
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006EEA55 13_2_006EEA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006D9824 13_2_006D9824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006D243F 13_2_006D243F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006E40FE 13_2_006E40FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006F20CE 13_2_006F20CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006E10CD 13_2_006E10CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006D92C1 13_2_006D92C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006F1291 13_2_006F1291
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006DCF6E 13_2_006DCF6E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006E9124 13_2_006E9124
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006E3D0C 13_2_006E3D0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006EDB87 13_2_006EDB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006E3782 13_2_006E3782
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006D3A6C 13_2_006D3A6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006D6869 13_2_006D6869
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006DEE60 13_2_006DEE60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006D387F 13_2_006D387F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006DFA78 13_2_006DFA78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006EB677 13_2_006EB677
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006D544C 13_2_006D544C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006DAA4E 13_2_006DAA4E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006E7445 13_2_006E7445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006E3043 13_2_006E3043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006DAE43 13_2_006DAE43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006DCE5A 13_2_006DCE5A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006D6453 13_2_006D6453
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006E282D 13_2_006E282D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006D3228 13_2_006D3228
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006D3432 13_2_006D3432
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006D800A 13_2_006D800A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006EC205 13_2_006EC205
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006F261E 13_2_006F261E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006DC0EA 13_2_006DC0EA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006E56E9 13_2_006E56E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006D40E2 13_2_006D40E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006D1EFB 13_2_006D1EFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006D46FA 13_2_006D46FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006E62F5 13_2_006E62F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006E4CF5 13_2_006E4CF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006D84F0 13_2_006D84F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006D2CC2 13_2_006D2CC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006F1CDB 13_2_006F1CDB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006D90D4 13_2_006D90D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006E28D5 13_2_006E28D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006E52D1 13_2_006E52D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006DF48A 13_2_006DF48A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006DA083 13_2_006DA083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006DFE9D 13_2_006DFE9D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006E009A 13_2_006E009A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006EA29B 13_2_006EA29B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006EE899 13_2_006EE899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006E0E97 13_2_006E0E97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006E0A93 13_2_006E0A93
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006ECE90 13_2_006ECE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006DBD61 13_2_006DBD61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006F0370 13_2_006F0370
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006E6540 13_2_006E6540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006DA92F 13_2_006DA92F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006DF73B 13_2_006DF73B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006ECD35 13_2_006ECD35
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006E590E 13_2_006E590E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006EBF0C 13_2_006EBF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006E970A 13_2_006E970A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006EE10A 13_2_006EE10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006D4D1E 13_2_006D4D1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006DCB13 13_2_006DCB13
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006D51EC 13_2_006D51EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006EEDED 13_2_006EEDED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006DA3E7 13_2_006DA3E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006D19C0 13_2_006D19C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006D75D2 13_2_006D75D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006EE5A7 13_2_006EE5A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006E0BA4 13_2_006E0BA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006EDDA5 13_2_006EDDA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006E89A2 13_2_006E89A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006ED7BE 13_2_006ED7BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006D59BF 13_2_006D59BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006D43BE 13_2_006D43BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006E85B8 13_2_006E85B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006EE3B5 13_2_006EE3B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006D358B 13_2_006D358B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006D4B81 13_2_006D4B81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006D8D80 13_2_006D8D80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006D7795 13_2_006D7795
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006DB191 13_2_006DB191
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006E1591 13_2_006E1591
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6EA3AC90 appears 33 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6EA21DE0 appears 97 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6EA3AC90 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6EA21DE0 appears 97 times
Source: efELSMI5R4.dll Virustotal: Detection: 19%
Source: efELSMI5R4.dll ReversingLabs: Detection: 17%
Source: efELSMI5R4.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,Control_RunDLL
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",#1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,ajkaibu
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,akyncbgollmj
Source: unknown Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "572" "2276" "2168" "2272" "0" "0" "2268" "0" "0" "0" "0" "0"
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 7084 -ip 7084
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 7084 -ip 7084
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Luvyipkowrkroyzm\ogjmypdycx.tqu",YATH
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 344
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,ajkaibu Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\efELSMI5R4.dll,akyncbgollmj Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 7084 -ip 7084 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 7084 -ip 7084 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 344 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Luvyipkowrkroyzm\ogjmypdycx.tqu",YATH Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:2228:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:1244:64:WilError_01
Source: C:\Windows\System32\wermgr.exe Mutant created: \BaseNamedObjects\Local\SM0:5096:120:WilError_01
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Jump to behavior
Source: C:\Windows\System32\wermgr.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE4A6.tmp Jump to behavior
Source: classification engine Classification label: mal72.troj.evad.winDLL@37/12@0/0
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: efELSMI5R4.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: efELSMI5R4.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: :KiUserCallbackDispatcherRSDSwntdll.pdb source: WerFault.exe, 00000016.00000002.684050713.00000000003A2000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_009213E7 push esi; retf 0_2_009213F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA46A93 push ecx; ret 0_2_6EA46AA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032D13E7 push esi; retf 2_2_032D13F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA46A93 push ecx; ret 3_2_6EA46AA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FD13E7 push esi; retf 8_2_02FD13F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006D13E7 push esi; retf 13_2_006D13F0
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA2E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex, 0_2_6EA2E690

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Luvyipkowrkroyzm\ogjmypdycx.tqu Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Luvyipkowrkroyzm\ogjmypdycx.tqu:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Oreodoh\rvkuiukjras.enc:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\svchost.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA40927 FindFirstFileExW, 0_2_6EA40927
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA40927 FindFirstFileExW, 3_2_6EA40927
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000005.00000002.684453139.000001C99D202000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: WerFault.exe, 00000016.00000002.686514227.000000000473A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000016.00000002.686184575.0000000004708000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW@Ut
Source: svchost.exe, 00000005.00000002.684497000.000001C99D228000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.684366581.000002320DC29000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA40326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6EA40326
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_009307D2 mov eax, dword ptr fs:[00000030h] 0_2_009307D2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA39990 mov eax, dword ptr fs:[00000030h] 0_2_6EA39990
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA3EC0B mov ecx, dword ptr fs:[00000030h] 0_2_6EA3EC0B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA402CC mov eax, dword ptr fs:[00000030h] 0_2_6EA402CC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA39920 mov esi, dword ptr fs:[00000030h] 0_2_6EA39920
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA39920 mov eax, dword ptr fs:[00000030h] 0_2_6EA39920
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032E07D2 mov eax, dword ptr fs:[00000030h] 2_2_032E07D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA39990 mov eax, dword ptr fs:[00000030h] 3_2_6EA39990
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA3EC0B mov ecx, dword ptr fs:[00000030h] 3_2_6EA3EC0B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA402CC mov eax, dword ptr fs:[00000030h] 3_2_6EA402CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA39920 mov esi, dword ptr fs:[00000030h] 3_2_6EA39920
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA39920 mov eax, dword ptr fs:[00000030h] 3_2_6EA39920
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02FE07D2 mov eax, dword ptr fs:[00000030h] 8_2_02FE07D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006E07D2 mov eax, dword ptr fs:[00000030h] 13_2_006E07D2
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA2E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex, 0_2_6EA2E690
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA21290 GetProcessHeap,HeapAlloc,RtlAllocateHeap,HeapFree, 0_2_6EA21290
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_009328D5 LdrInitializeThunk, 0_2_009328D5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA3A462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6EA3A462
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA40326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6EA40326
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA3AB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6EA3AB0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA3A462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6EA3A462
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA40326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6EA40326
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA3AB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6EA3AB0C

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\efELSMI5R4.dll",#1 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 7084 -ip 7084 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 7084 -ip 7084 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 344 Jump to behavior
Source: loaddll32.exe, 00000000.00000000.642253548.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.666953506.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.612984650.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000002.686964466.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.553538519.0000000001240000.00000002.00020000.sdmp, svchost.exe, 00000006.00000002.684250383.000001980CF90000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.686306336.0000000003170000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000000.642253548.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.666953506.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.612984650.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000002.686964466.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.553538519.0000000001240000.00000002.00020000.sdmp, svchost.exe, 00000006.00000002.684250383.000001980CF90000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.686306336.0000000003170000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.642253548.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.666953506.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.612984650.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000002.686964466.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.553538519.0000000001240000.00000002.00020000.sdmp, svchost.exe, 00000006.00000002.684250383.000001980CF90000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.686306336.0000000003170000.00000002.00020000.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.642253548.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.666953506.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.612984650.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000002.686964466.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.553538519.0000000001240000.00000002.00020000.sdmp, svchost.exe, 00000006.00000002.684250383.000001980CF90000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.686306336.0000000003170000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA3A584 cpuid 0_2_6EA3A584
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA3A755 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_6EA3A755

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000013.00000002.685217722.0000018451640000.00000004.00000001.sdmp Binary or memory string: V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000013.00000002.685038931.0000018451629000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.685417229.0000018451702000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 0.0.loaddll32.exe.920000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.cd3b40.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.cd3b40.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.30a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.920000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.cd3b40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.920000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.32d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.3472148.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.cd3b40.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.920000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.cd3b40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.920000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.cd3b40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.920000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.920000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3460000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.920000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.cd3b40.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.cd3b40.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2fd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.3472148.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.6d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.32d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.30a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.cd3b40.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.31820a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.6a2160.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.cd3b40.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.3460000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.920000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.6a2160.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2fd0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.31820a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.920000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.516956813.0000000000600000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.629962254.0000000000CCC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.545400007.0000000000CCC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.665545793.00000000008F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.497340032.00000000033D2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.620091364.0000000000920000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.685885620.0000000000920000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.535753712.0000000000920000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.564256085.00000000030A0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.518881595.00000000032D0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.518906170.000000000345A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.516978960.000000000068A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.667708514.0000000003460000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.605013673.0000000000CCC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.569478783.000000000316A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.666094116.0000000000920000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.666680634.0000000000CCC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.665849147.00000000034DA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.669521657.00000000006D0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.590946343.0000000000920000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.686580217.0000000000CCC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.518853652.0000000002FD0000.00000040.00000010.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 532312 Sample: efELSMI5R4.dll Startdate: 02/12/2021 Architecture: WINDOWS Score: 72 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected Emotet 2->46 9 loaddll32.exe 1 2->9         started        11 svchost.exe 2->11         started        14 svchost.exe 4 2->14         started        16 7 other processes 2->16 process3 signatures4 18 cmd.exe 1 9->18         started        20 rundll32.exe 9->20         started        22 rundll32.exe 9->22         started        28 2 other processes 9->28 50 Changes security center settings (notifications, updates, antivirus, firewall) 11->50 24 WerFault.exe 14->24         started        26 WerFault.exe 14->26         started        process5 process6 30 rundll32.exe 18->30         started        32 rundll32.exe 2 20->32         started        35 rundll32.exe 22->35         started        signatures7 37 rundll32.exe 2 30->37         started        42 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->42 process8 signatures9 48 Hides that the sample has been downloaded from the Internet (zone.identifier) 37->48 40 rundll32.exe 37->40         started        process10
No contacted IP infos