Windows Analysis Report 9izNuvE61W

Overview

General Information

Sample Name: 9izNuvE61W (renamed file extension from none to dll)
Analysis ID: 532414
MD5: 1001c03943dc4c187922a673ab699bd2
SHA1: d8ce9f24b5693f11f88336c84f8312a5b385ea7e
SHA256: 3e651cef6a05ae7d259eb01913e1b157c16ab08fba4cd9129e3a50caaf349e0c
Tags: 32dllexetrojan
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Emotet
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Deletes files inside the Windows folder
Drops PE files to the windows directory (C:\Windows)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Connects to several IPs in different countries
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 4.2.rundll32.exe.be4770.1.raw.unpack Malware Configuration Extractor: Emotet {"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}
Multi AV Scanner detection for submitted file
Source: 9izNuvE61W.dll Virustotal: Detection: 25% Perma Link
Source: 9izNuvE61W.dll ReversingLabs: Detection: 28%

Compliance:

barindex
Uses 32bit PE files
Source: 9izNuvE61W.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: 9izNuvE61W.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E51BA20 FindFirstFileExW, 1_2_6E51BA20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E51BA20 FindFirstFileExW, 4_2_6E51BA20

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 46.55.222.11:443
Source: Malware configuration extractor IPs: 104.245.52.73:8080
Source: Malware configuration extractor IPs: 41.76.108.46:8080
Source: Malware configuration extractor IPs: 103.8.26.103:8080
Source: Malware configuration extractor IPs: 185.184.25.237:8080
Source: Malware configuration extractor IPs: 103.8.26.102:8080
Source: Malware configuration extractor IPs: 203.114.109.124:443
Source: Malware configuration extractor IPs: 45.118.115.99:8080
Source: Malware configuration extractor IPs: 178.79.147.66:8080
Source: Malware configuration extractor IPs: 58.227.42.236:80
Source: Malware configuration extractor IPs: 45.118.135.203:7080
Source: Malware configuration extractor IPs: 103.75.201.2:443
Source: Malware configuration extractor IPs: 195.154.133.20:443
Source: Malware configuration extractor IPs: 45.142.114.231:8080
Source: Malware configuration extractor IPs: 212.237.5.209:443
Source: Malware configuration extractor IPs: 207.38.84.195:8080
Source: Malware configuration extractor IPs: 104.251.214.46:8080
Source: Malware configuration extractor IPs: 212.237.17.99:8080
Source: Malware configuration extractor IPs: 212.237.56.116:7080
Source: Malware configuration extractor IPs: 216.158.226.206:443
Source: Malware configuration extractor IPs: 110.232.117.186:8080
Source: Malware configuration extractor IPs: 158.69.222.101:443
Source: Malware configuration extractor IPs: 107.182.225.142:8080
Source: Malware configuration extractor IPs: 176.104.106.96:8080
Source: Malware configuration extractor IPs: 81.0.236.90:443
Source: Malware configuration extractor IPs: 50.116.54.215:443
Source: Malware configuration extractor IPs: 138.185.72.26:8080
Source: Malware configuration extractor IPs: 51.68.175.8:8080
Source: Malware configuration extractor IPs: 210.57.217.132:8080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 18
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View ASN Name: ARUBA-ASNIT ARUBA-ASNIT
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View IP Address: 212.237.17.99 212.237.17.99

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 5.2.rundll32.exe.5e4f70.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.960000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.be4770.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.8d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.a90000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.b843e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.a90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.cdfe88.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.be4770.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.b843e0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.5e4f70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.db0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4443a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.db0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.cdfe88.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.960000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4443a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.1081852009.0000000000BCA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1109222127.0000000000960000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1081779748.00000000008D0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1096930229.00000000005CA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1111391424.0000000000B6A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1115024275.0000000000DB0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1112860581.00000000005F0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1107916093.0000000000A90000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1114394068.0000000000CBB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1112834820.000000000042A000.00000004.00000020.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: 9izNuvE61W.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Sample file is different than original file name gathered from version info
Source: 9izNuvE61W.dll Binary or memory string: OriginalFilenameYlncpiqzme.dll6 vs 9izNuvE61W.dll
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Vdzcdlwa\eulmfwikgypgs.hkq:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Vdzcdlwa\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DD06EF 1_2_00DD06EF
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DCED95 1_2_00DCED95
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DC7EDD 1_2_00DC7EDD
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DD0AD3 1_2_00DD0AD3
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB54C0 1_2_00DB54C0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DD20F8 1_2_00DD20F8
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DBE6FD 1_2_00DBE6FD
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DBBEF5 1_2_00DBBEF5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DBA8E8 1_2_00DBA8E8
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DBC69B 1_2_00DBC69B
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DBF699 1_2_00DBF699
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DBD899 1_2_00DBD899
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB3085 1_2_00DB3085
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DC3ABE 1_2_00DC3ABE
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DBAEB9 1_2_00DBAEB9
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DCB0BA 1_2_00DCB0BA
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DC56A9 1_2_00DC56A9
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DC04A4 1_2_00DC04A4
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DBF4A5 1_2_00DBF4A5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DC645F 1_2_00DC645F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DC604E 1_2_00DC604E
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DCE478 1_2_00DCE478
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DD1C71 1_2_00DD1C71
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DD0C66 1_2_00DD0C66
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DCBA18 1_2_00DCBA18
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DD2C16 1_2_00DD2C16
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DC1C12 1_2_00DC1C12
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DBF20D 1_2_00DBF20D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB3E3B 1_2_00DB3E3B
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DCCC3F 1_2_00DCCC3F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DC0A37 1_2_00DC0A37
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DC0824 1_2_00DC0824
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DCE7DA 1_2_00DCE7DA
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DC89DA 1_2_00DC89DA
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DC13DB 1_2_00DC13DB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB5DC3 1_2_00DB5DC3
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB39C3 1_2_00DB39C3
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DC4DC5 1_2_00DC4DC5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DC0FC5 1_2_00DC0FC5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB2DC5 1_2_00DB2DC5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB1DF9 1_2_00DB1DF9
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DCD5FE 1_2_00DCD5FE
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB6BFE 1_2_00DB6BFE
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DC91F7 1_2_00DC91F7
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DBFBEF 1_2_00DBFBEF
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DBB7EC 1_2_00DBB7EC
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DD35E3 1_2_00DD35E3
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DC6B91 1_2_00DC6B91
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB938F 1_2_00DB938F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DD1987 1_2_00DD1987
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB7D87 1_2_00DB7D87
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DBF984 1_2_00DBF984
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB33A9 1_2_00DB33A9
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DC77A7 1_2_00DC77A7
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DCBFA1 1_2_00DCBFA1
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB8D59 1_2_00DB8D59
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB635F 1_2_00DB635F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DD2D4F 1_2_00DD2D4F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DD314A 1_2_00DD314A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB4F42 1_2_00DB4F42
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DCC145 1_2_00DCC145
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DC5B7C 1_2_00DC5B7C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB597D 1_2_00DB597D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB2B7C 1_2_00DB2B7C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB2176 1_2_00DB2176
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DCC772 1_2_00DCC772
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB2575 1_2_00DB2575
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB196D 1_2_00DB196D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB996C 1_2_00DB996C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DCF561 1_2_00DCF561
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB5166 1_2_00DB5166
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DBDD66 1_2_00DBDD66
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DD2560 1_2_00DD2560
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB9565 1_2_00DB9565
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DC8518 1_2_00DC8518
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB8112 1_2_00DB8112
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB4716 1_2_00DB4716
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB5314 1_2_00DB5314
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DC710D 1_2_00DC710D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DCD10B 1_2_00DCD10B
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DD3306 1_2_00DD3306
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB7739 1_2_00DB7739
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DC473A 1_2_00DC473A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DC3130 1_2_00DC3130
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DBE336 1_2_00DBE336
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DCCF2C 1_2_00DCCF2C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DBB12E 1_2_00DBB12E
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB6125 1_2_00DB6125
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E4F5980 1_2_6E4F5980
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E4F6100 1_2_6E4F6100
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E51AE28 1_2_6E51AE28
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E521F65 1_2_6E521F65
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E502C70 1_2_6E502C70
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E511D50 1_2_6E511D50
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E50FD1F 1_2_6E50FD1F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E4F2D10 1_2_6E4F2D10
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E5258EF 1_2_6E5258EF
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E4FE6B0 1_2_6E4FE6B0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E5257CB 1_2_6E5257CB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E520569 1_2_6E520569
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E50C366 1_2_6E50C366
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E4F9380 1_2_6E4F9380
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E50C132 1_2_6E50C132
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E4F5980 4_2_6E4F5980
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E4F6100 4_2_6E4F6100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E51AE28 4_2_6E51AE28
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E521F65 4_2_6E521F65
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E502C70 4_2_6E502C70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E511D50 4_2_6E511D50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E50FD1F 4_2_6E50FD1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E4F2D10 4_2_6E4F2D10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E5258EF 4_2_6E5258EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E4FE6B0 4_2_6E4FE6B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E5257CB 4_2_6E5257CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E520569 4_2_6E520569
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E50C366 4_2_6E50C366
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E4F9380 4_2_6E4F9380
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E50C132 4_2_6E50C132
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AB06EF 5_2_00AB06EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AAED95 5_2_00AAED95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AA56A9 5_2_00AA56A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A9F4A5 5_2_00A9F4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AA04A4 5_2_00AA04A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AAB0BA 5_2_00AAB0BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A9AEB9 5_2_00A9AEB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AA3ABE 5_2_00AA3ABE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A93085 5_2_00A93085
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A9F699 5_2_00A9F699
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A9D899 5_2_00A9D899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A9C69B 5_2_00A9C69B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A9A8E8 5_2_00A9A8E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AB20F8 5_2_00AB20F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A9E6FD 5_2_00A9E6FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A9BEF5 5_2_00A9BEF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A954C0 5_2_00A954C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AA7EDD 5_2_00AA7EDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AB0AD3 5_2_00AB0AD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AA0824 5_2_00AA0824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A93E3B 5_2_00A93E3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AACC3F 5_2_00AACC3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AA0A37 5_2_00AA0A37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A9F20D 5_2_00A9F20D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AABA18 5_2_00AABA18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AA1C12 5_2_00AA1C12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AB2C16 5_2_00AB2C16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AB0C66 5_2_00AB0C66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AAE478 5_2_00AAE478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AB1C71 5_2_00AB1C71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AA604E 5_2_00AA604E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AA645F 5_2_00AA645F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A933A9 5_2_00A933A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AABFA1 5_2_00AABFA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AA77A7 5_2_00AA77A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A9938F 5_2_00A9938F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AB1987 5_2_00AB1987
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A9F984 5_2_00A9F984
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A97D87 5_2_00A97D87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AA6B91 5_2_00AA6B91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A9B7EC 5_2_00A9B7EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A9FBEF 5_2_00A9FBEF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AB35E3 5_2_00AB35E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A91DF9 5_2_00A91DF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AAD5FE 5_2_00AAD5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A96BFE 5_2_00A96BFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AA91F7 5_2_00AA91F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A95DC3 5_2_00A95DC3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A939C3 5_2_00A939C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A92DC5 5_2_00A92DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AA4DC5 5_2_00AA4DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AA0FC5 5_2_00AA0FC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AAE7DA 5_2_00AAE7DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AA89DA 5_2_00AA89DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AA13DB 5_2_00AA13DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AACF2C 5_2_00AACF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A9B12E 5_2_00A9B12E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A96125 5_2_00A96125
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A97739 5_2_00A97739
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AA473A 5_2_00AA473A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AA3130 5_2_00AA3130
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A9E336 5_2_00A9E336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AAD10B 5_2_00AAD10B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AA710D 5_2_00AA710D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AB3306 5_2_00AB3306
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AA8518 5_2_00AA8518
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A98112 5_2_00A98112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A95314 5_2_00A95314
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A94716 5_2_00A94716
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A9196D 5_2_00A9196D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A9996C 5_2_00A9996C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AAF561 5_2_00AAF561
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AB2560 5_2_00AB2560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A99565 5_2_00A99565
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A95166 5_2_00A95166
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A9DD66 5_2_00A9DD66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A9597D 5_2_00A9597D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A92B7C 5_2_00A92B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AA5B7C 5_2_00AA5B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AAC772 5_2_00AAC772
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A92575 5_2_00A92575
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A92176 5_2_00A92176
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AB314A 5_2_00AB314A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AB2D4F 5_2_00AB2D4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A94F42 5_2_00A94F42
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AAC145 5_2_00AAC145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A98D59 5_2_00A98D59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A9635F 5_2_00A9635F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009806EF 6_2_009806EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0097ED95 6_2_0097ED95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0096C69B 6_2_0096C69B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0096F699 6_2_0096F699
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0096D899 6_2_0096D899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00963085 6_2_00963085
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00973ABE 6_2_00973ABE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0097B0BA 6_2_0097B0BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0096AEB9 6_2_0096AEB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009704A4 6_2_009704A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0096F4A5 6_2_0096F4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009756A9 6_2_009756A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00977EDD 6_2_00977EDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00980AD3 6_2_00980AD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009654C0 6_2_009654C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009820F8 6_2_009820F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0096BEF5 6_2_0096BEF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0096E6FD 6_2_0096E6FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0096A8E8 6_2_0096A8E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00971C12 6_2_00971C12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00982C16 6_2_00982C16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0097BA18 6_2_0097BA18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0096F20D 6_2_0096F20D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00970A37 6_2_00970A37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0097CC3F 6_2_0097CC3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00963E3B 6_2_00963E3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00970824 6_2_00970824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0097645F 6_2_0097645F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0097604E 6_2_0097604E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00981C71 6_2_00981C71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0097E478 6_2_0097E478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00980C66 6_2_00980C66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00976B91 6_2_00976B91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00967D87 6_2_00967D87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0096F984 6_2_0096F984
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0096938F 6_2_0096938F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00981987 6_2_00981987
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009777A7 6_2_009777A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0097BFA1 6_2_0097BFA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009633A9 6_2_009633A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009713DB 6_2_009713DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0097E7DA 6_2_0097E7DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009789DA 6_2_009789DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00974DC5 6_2_00974DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00970FC5 6_2_00970FC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00962DC5 6_2_00962DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00965DC3 6_2_00965DC3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009639C3 6_2_009639C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009791F7 6_2_009791F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00966BFE 6_2_00966BFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0097D5FE 6_2_0097D5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00961DF9 6_2_00961DF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0096FBEF 6_2_0096FBEF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0096B7EC 6_2_0096B7EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009835E3 6_2_009835E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00964716 6_2_00964716
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00965314 6_2_00965314
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00968112 6_2_00968112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00978518 6_2_00978518
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0097710D 6_2_0097710D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0097D10B 6_2_0097D10B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00983306 6_2_00983306
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0096E336 6_2_0096E336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00973130 6_2_00973130
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0097473A 6_2_0097473A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00967739 6_2_00967739
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00966125 6_2_00966125
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0096B12E 6_2_0096B12E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0097CF2C 6_2_0097CF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0096635F 6_2_0096635F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00968D59 6_2_00968D59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0098314A 6_2_0098314A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0097C145 6_2_0097C145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00964F42 6_2_00964F42
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00982D4F 6_2_00982D4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00962176 6_2_00962176
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00962575 6_2_00962575
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0097C772 6_2_0097C772
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00962B7C 6_2_00962B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00975B7C 6_2_00975B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0096597D 6_2_0096597D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00965166 6_2_00965166
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0096DD66 6_2_0096DD66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00969565 6_2_00969565
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0097F561 6_2_0097F561
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00982560 6_2_00982560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0096996C 6_2_0096996C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0096196D 6_2_0096196D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_006106EF 7_2_006106EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0060ED95 7_2_0060ED95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00610C66 7_2_00610C66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00611C71 7_2_00611C71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0060E478 7_2_0060E478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0060604E 7_2_0060604E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0060645F 7_2_0060645F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00600824 7_2_00600824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005FF20D 7_2_005FF20D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00600A37 7_2_00600A37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0060CC3F 7_2_0060CC3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005F3E3B 7_2_005F3E3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00601C12 7_2_00601C12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00612C16 7_2_00612C16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0060BA18 7_2_0060BA18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_006120F8 7_2_006120F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005F54C0 7_2_005F54C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005FE6FD 7_2_005FE6FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005FBEF5 7_2_005FBEF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00610AD3 7_2_00610AD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005FA8E8 7_2_005FA8E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00607EDD 7_2_00607EDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_006004A4 7_2_006004A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005FC69B 7_2_005FC69B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005FF699 7_2_005FF699
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005FD899 7_2_005FD899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_006056A9 7_2_006056A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0060B0BA 7_2_0060B0BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005F3085 7_2_005F3085
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00603ABE 7_2_00603ABE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005FAEB9 7_2_005FAEB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005FF4A5 7_2_005FF4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005F635F 7_2_005F635F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0060F561 7_2_0060F561
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00612560 7_2_00612560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005F8D59 7_2_005F8D59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0060C772 7_2_0060C772
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00605B7C 7_2_00605B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005F4F42 7_2_005F4F42
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005F597D 7_2_005F597D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005F2B7C 7_2_005F2B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0060C145 7_2_0060C145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005F2176 7_2_005F2176
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005F2575 7_2_005F2575
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0061314A 7_2_0061314A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00612D4F 7_2_00612D4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005F196D 7_2_005F196D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005F996C 7_2_005F996C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005F5166 7_2_005F5166
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005FDD66 7_2_005FDD66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005F9565 7_2_005F9565
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005F4716 7_2_005F4716
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005F5314 7_2_005F5314
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0060CF2C 7_2_0060CF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005F8112 7_2_005F8112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00603130 7_2_00603130
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0060473A 7_2_0060473A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005F7739 7_2_005F7739
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00613306 7_2_00613306
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005FE336 7_2_005FE336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0060D10B 7_2_0060D10B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0060710D 7_2_0060710D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005FB12E 7_2_005FB12E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00608518 7_2_00608518
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005F6125 7_2_005F6125
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_006135E3 7_2_006135E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_006091F7 7_2_006091F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005F2DC5 7_2_005F2DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005F5DC3 7_2_005F5DC3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005F39C3 7_2_005F39C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0060D5FE 7_2_0060D5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005F6BFE 7_2_005F6BFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00604DC5 7_2_00604DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00600FC5 7_2_00600FC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005F1DF9 7_2_005F1DF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005FFBEF 7_2_005FFBEF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005FB7EC 7_2_005FB7EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0060E7DA 7_2_0060E7DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_006089DA 7_2_006089DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_006013DB 7_2_006013DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0060BFA1 7_2_0060BFA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_006077A7 7_2_006077A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005F938F 7_2_005F938F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005F7D87 7_2_005F7D87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005FF984 7_2_005FF984
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00611987 7_2_00611987
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00606B91 7_2_00606B91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005F33A9 7_2_005F33A9
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E504F90 appears 52 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E504F90 appears 52 times
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E4F1230 ntlbxpnmpq, 1_2_6E4F1230
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E4F1230 ntlbxpnmpq, 4_2_6E4F1230
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Source: 9izNuvE61W.dll Virustotal: Detection: 25%
Source: 9izNuvE61W.dll ReversingLabs: Detection: 28%
Source: 9izNuvE61W.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\9izNuvE61W.dll,Control_RunDLL
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\9izNuvE61W.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\9izNuvE61W.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\9izNuvE61W.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9izNuvE61W.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\9izNuvE61W.dll,agrwqhxohbh
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\9izNuvE61W.dll,aoydsyidkopcdbcv
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\9izNuvE61W.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vdzcdlwa\eulmfwikgypgs.hkq",GGNAVaUGDnJI
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\9izNuvE61W.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\9izNuvE61W.dll",Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\9izNuvE61W.dll",Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\9izNuvE61W.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\9izNuvE61W.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\9izNuvE61W.dll,agrwqhxohbh Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\9izNuvE61W.dll,aoydsyidkopcdbcv Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\9izNuvE61W.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9izNuvE61W.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vdzcdlwa\eulmfwikgypgs.hkq",GGNAVaUGDnJI Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\9izNuvE61W.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\9izNuvE61W.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\9izNuvE61W.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E4F5980 GetTickCount64,FindResourceA, 1_2_6E4F5980
Source: classification engine Classification label: mal76.troj.evad.winDLL@21/0@0/29
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E4FAF10 CoCreateInstance,OleRun, 1_2_6E4FAF10
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: 9izNuvE61W.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: 9izNuvE61W.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 9izNuvE61W.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 9izNuvE61W.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 9izNuvE61W.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 9izNuvE61W.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
PE file contains an invalid checksum
Source: 9izNuvE61W.dll Static PE information: real checksum: 0x75999 should be: 0x77062
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB151C push ds; ret 1_2_00DB1527
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB150F push ds; ret 1_2_00DB1527
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E504FE0 push ecx; ret 1_2_6E504FF3
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E5273E1 push ecx; ret 1_2_6E5273F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E504FE0 push ecx; ret 4_2_6E504FF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E5273E1 push ecx; ret 4_2_6E5273F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A9150F push ds; ret 5_2_00A91527
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00A9151C push ds; ret 5_2_00A91527
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0096151C push ds; ret 6_2_00961527
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0096150F push ds; ret 6_2_00961527
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005F151C push ds; ret 7_2_005F1527
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005F150F push ds; ret 7_2_005F1527

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Vdzcdlwa\eulmfwikgypgs.hkq Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Vdzcdlwa\eulmfwikgypgs.hkq:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006E4F6134 second address: 000000006E4F6168 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-08h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FF640869AB4h 0x0000000a mov edi, 00D66F8Ch 0x0000000f mov dword ptr [ebp-14h], edi 0x00000012 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006E4F79F7 second address: 000000006E4F7A0A instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FF64084B61Eh 0x00000007 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006E4F7A0A second address: 000000006E4F79F7 instructions: 0x00000000 rdtscp 0x00000003 mov ecx, dword ptr [esp+0Ch] 0x00000007 ror esi, 0Dh 0x0000000a mov eax, esi 0x0000000c pop esi 0x0000000d xor ecx, esp 0x0000000f call 00007FF6408761D7h 0x00000014 cmp ecx, dword ptr [6E53D008h] 0x0000001a jne 00007FF640869A93h 0x0000001c ret 0x0000001d mov esp, ebp 0x0000001f pop ebp 0x00000020 ret 0x00000021 mov cl, byte ptr [esi] 0x00000023 mov edi, eax 0x00000025 cmp cl, 00000061h 0x00000028 jc 00007FF640869A9Fh 0x0000002a movzx eax, cl 0x0000002d add edi, FFFFFFE0h 0x00000030 add edi, eax 0x00000032 jmp 00007FF640869BF2h 0x00000037 mov eax, dword ptr [ebp-14h] 0x0000003a mov ecx, dword ptr [ebp-18h] 0x0000003d cdq 0x0000003e sub eax, edx 0x00000040 sar eax, 1 0x00000042 cmp eax, ecx 0x00000044 jl 00007FF640869C5Eh 0x0000004a add ebx, 0000FFFFh 0x00000050 inc esi 0x00000051 test bx, bx 0x00000054 jne 00007FF6408698EEh 0x0000005a mov eax, dword ptr [ebp-14h] 0x0000005d cmp eax, ecx 0x0000005f cmovle eax, ecx 0x00000062 mov ecx, edi 0x00000064 mov dword ptr [ebp-14h], eax 0x00000067 call 00007FF64086AFF3h 0x0000006c push ebp 0x0000006d mov ebp, esp 0x0000006f and esp, FFFFFFF8h 0x00000072 sub esp, 0Ch 0x00000075 mov eax, dword ptr [6E53D008h] 0x0000007a xor eax, esp 0x0000007c mov dword ptr [esp+08h], eax 0x00000080 push esi 0x00000081 mov esi, ecx 0x00000083 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006E4F6134 second address: 000000006E4F6168 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-08h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FF64084B634h 0x0000000a mov edi, 00D66F8Ch 0x0000000f mov dword ptr [ebp-14h], edi 0x00000012 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006E4F79F7 second address: 000000006E4F7A0A instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FF640869A9Eh 0x00000007 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006E4F7A0A second address: 000000006E4F79F7 instructions: 0x00000000 rdtscp 0x00000003 mov ecx, dword ptr [esp+0Ch] 0x00000007 ror esi, 0Dh 0x0000000a mov eax, esi 0x0000000c pop esi 0x0000000d xor ecx, esp 0x0000000f call 00007FF640857D57h 0x00000014 cmp ecx, dword ptr [6E53D008h] 0x0000001a jne 00007FF64084B613h 0x0000001c ret 0x0000001d mov esp, ebp 0x0000001f pop ebp 0x00000020 ret 0x00000021 mov cl, byte ptr [esi] 0x00000023 mov edi, eax 0x00000025 cmp cl, 00000061h 0x00000028 jc 00007FF64084B61Fh 0x0000002a movzx eax, cl 0x0000002d add edi, FFFFFFE0h 0x00000030 add edi, eax 0x00000032 jmp 00007FF64084B772h 0x00000037 mov eax, dword ptr [ebp-14h] 0x0000003a mov ecx, dword ptr [ebp-18h] 0x0000003d cdq 0x0000003e sub eax, edx 0x00000040 sar eax, 1 0x00000042 cmp eax, ecx 0x00000044 jl 00007FF64084B7DEh 0x0000004a add ebx, 0000FFFFh 0x00000050 inc esi 0x00000051 test bx, bx 0x00000054 jne 00007FF64084B46Eh 0x0000005a mov eax, dword ptr [ebp-14h] 0x0000005d cmp eax, ecx 0x0000005f cmovle eax, ecx 0x00000062 mov ecx, edi 0x00000064 mov dword ptr [ebp-14h], eax 0x00000067 call 00007FF64084CB73h 0x0000006c push ebp 0x0000006d mov ebp, esp 0x0000006f and esp, FFFFFFF8h 0x00000072 sub esp, 0Ch 0x00000075 mov eax, dword ptr [6E53D008h] 0x0000007a xor eax, esp 0x0000007c mov dword ptr [esp+08h], eax 0x00000080 push esi 0x00000081 mov esi, ecx 0x00000083 rdtscp
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 000000006E4F6134 second address: 000000006E4F6168 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-08h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FF640869AB4h 0x0000000a mov edi, 00D66F8Ch 0x0000000f mov dword ptr [ebp-14h], edi 0x00000012 rdtscp
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 000000006E4F79F7 second address: 000000006E4F7A0A instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FF64084B61Eh 0x00000007 rdtscp
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 000000006E4F7A0A second address: 000000006E4F79F7 instructions: 0x00000000 rdtscp 0x00000003 mov ecx, dword ptr [esp+0Ch] 0x00000007 ror esi, 0Dh 0x0000000a mov eax, esi 0x0000000c pop esi 0x0000000d xor ecx, esp 0x0000000f call 00007FF6408761D7h 0x00000014 cmp ecx, dword ptr [6E53D008h] 0x0000001a jne 00007FF640869A93h 0x0000001c ret 0x0000001d mov esp, ebp 0x0000001f pop ebp 0x00000020 ret 0x00000021 mov cl, byte ptr [esi] 0x00000023 mov edi, eax 0x00000025 cmp cl, 00000061h 0x00000028 jc 00007FF640869A9Fh 0x0000002a movzx eax, cl 0x0000002d add edi, FFFFFFE0h 0x00000030 add edi, eax 0x00000032 jmp 00007FF640869BF2h 0x00000037 mov eax, dword ptr [ebp-14h] 0x0000003a mov ecx, dword ptr [ebp-18h] 0x0000003d cdq 0x0000003e sub eax, edx 0x00000040 sar eax, 1 0x00000042 cmp eax, ecx 0x00000044 jl 00007FF640869C5Eh 0x0000004a add ebx, 0000FFFFh 0x00000050 inc esi 0x00000051 test bx, bx 0x00000054 jne 00007FF6408698EEh 0x0000005a mov eax, dword ptr [ebp-14h] 0x0000005d cmp eax, ecx 0x0000005f cmovle eax, ecx 0x00000062 mov ecx, edi 0x00000064 mov dword ptr [ebp-14h], eax 0x00000067 call 00007FF64086AFF3h 0x0000006c push ebp 0x0000006d mov ebp, esp 0x0000006f and esp, FFFFFFF8h 0x00000072 sub esp, 0Ch 0x00000075 mov eax, dword ptr [6E53D008h] 0x0000007a xor eax, esp 0x0000007c mov dword ptr [esp+08h], eax 0x00000080 push esi 0x00000081 mov esi, ecx 0x00000083 rdtscp
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E4F6100 rdtscp 1_2_6E4F6100
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E51BA20 FindFirstFileExW, 1_2_6E51BA20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E51BA20 FindFirstFileExW, 4_2_6E51BA20
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E504E67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6E504E67
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DC4315 mov eax, dword ptr fs:[00000030h] 1_2_00DC4315
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E4F6100 mov eax, dword ptr fs:[00000030h] 1_2_6E4F6100
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E4F6100 mov eax, dword ptr fs:[00000030h] 1_2_6E4F6100
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E514F94 mov eax, dword ptr fs:[00000030h] 1_2_6E514F94
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E4F7A30 mov eax, dword ptr fs:[00000030h] 1_2_6E4F7A30
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E51B715 mov eax, dword ptr fs:[00000030h] 1_2_6E51B715
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E507334 mov esi, dword ptr fs:[00000030h] 1_2_6E507334
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E4F6100 mov eax, dword ptr fs:[00000030h] 4_2_6E4F6100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E4F6100 mov eax, dword ptr fs:[00000030h] 4_2_6E4F6100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E514F94 mov eax, dword ptr fs:[00000030h] 4_2_6E514F94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E4F7A30 mov eax, dword ptr fs:[00000030h] 4_2_6E4F7A30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E51B715 mov eax, dword ptr fs:[00000030h] 4_2_6E51B715
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E507334 mov esi, dword ptr fs:[00000030h] 4_2_6E507334
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00AA4315 mov eax, dword ptr fs:[00000030h] 5_2_00AA4315
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00974315 mov eax, dword ptr fs:[00000030h] 6_2_00974315
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00604315 mov eax, dword ptr fs:[00000030h] 7_2_00604315
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E50744C GetProcessHeap,HeapFree, 1_2_6E50744C
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E4F6100 rdtscp 1_2_6E4F6100
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E504E67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6E504E67
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E50461A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_6E50461A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E50D436 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6E50D436
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E504E67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6E504E67
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E50461A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_6E50461A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E50D436 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6E50D436

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9izNuvE61W.dll",#1 Jump to behavior
Source: rundll32.exe, 0000000A.00000002.1197872415.00000000031F0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: rundll32.exe, 0000000A.00000002.1197872415.00000000031F0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 0000000A.00000002.1197872415.00000000031F0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: rundll32.exe, 0000000A.00000002.1197872415.00000000031F0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 1_2_6E51CE41
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 1_2_6E524EAC
Source: C:\Windows\System32\loaddll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 1_2_6E524F7F
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 1_2_6E524C7C
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_6E524DA4
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 1_2_6E524A27
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 1_2_6E52480D
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 1_2_6E5248B6
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 1_2_6E524901
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 1_2_6E52499C
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 1_2_6E51C982
Source: C:\Windows\System32\loaddll32.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 1_2_6E524610
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 4_2_6E51CE41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 4_2_6E524EAC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 4_2_6E524F7F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 4_2_6E524C7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 4_2_6E524DA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 4_2_6E524A27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 4_2_6E52480D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6E5248B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6E524901
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6E52499C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6E51C982
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 4_2_6E524610
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E504C86 cpuid 1_2_6E504C86
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E504FF7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_6E504FF7

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 5.2.rundll32.exe.5e4f70.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.960000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.be4770.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.8d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.a90000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.b843e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.a90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.cdfe88.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.be4770.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.b843e0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.5e4f70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.db0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4443a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.db0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.cdfe88.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.960000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4443a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.1081852009.0000000000BCA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1109222127.0000000000960000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1081779748.00000000008D0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1096930229.00000000005CA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1111391424.0000000000B6A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1115024275.0000000000DB0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1112860581.00000000005F0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1107916093.0000000000A90000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1114394068.0000000000CBB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1112834820.000000000042A000.00000004.00000020.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 532414 Sample: 9izNuvE61W Startdate: 02/12/2021 Architecture: WINDOWS Score: 76 31 210.57.217.132 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->31 33 203.114.109.124 TOT-LLI-AS-APTOTPublicCompanyLimitedTH Thailand 2->33 35 27 other IPs or domains 2->35 37 Found malware configuration 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected Emotet 2->41 43 C2 URLs / IPs found in malware configuration 2->43 9 loaddll32.exe 1 2->9         started        signatures3 process4 signatures5 45 Tries to detect virtualization through RDTSC time measurements 9->45 12 rundll32.exe 2 9->12         started        15 cmd.exe 1 9->15         started        17 rundll32.exe 9->17         started        19 2 other processes 9->19 process6 signatures7 47 Tries to detect virtualization through RDTSC time measurements 12->47 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->49 21 rundll32.exe 12->21         started        23 rundll32.exe 15->23         started        25 rundll32.exe 17->25         started        27 rundll32.exe 19->27         started        process8 process9 29 rundll32.exe 23->29         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.154.133.20
 unknown France
12876 OnlineSASFR true
212.237.17.99
 unknown Italy
31034 ARUBA-ASNIT true
110.232.117.186
 unknown Australia
56038 RACKCORP-APRackCorpAU true
104.245.52.73
 unknown United States
63251 METRO-WIRELESSUS true
138.185.72.26
 unknown Brazil
264343 EmpasoftLtdaMeBR true
81.0.236.90
 unknown Czech Republic
15685 CASABLANCA-ASInternetCollocationProviderCZ true
45.118.115.99
 unknown Indonesia
131717 IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID true
103.75.201.2
 unknown Thailand
133496 CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH true
216.158.226.206
 unknown United States
19318 IS-AS-1US true
107.182.225.142
 unknown United States
32780 HOSTINGSERVICES-INCUS true
45.118.135.203
 unknown Japan 63949 LINODE-APLinodeLLCUS true
50.116.54.215
 unknown United States
63949 LINODE-APLinodeLLCUS true
51.68.175.8
 unknown France
16276 OVHFR true
103.8.26.102
 unknown Malaysia
132241 SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY true
46.55.222.11
 unknown Bulgaria
34841 BALCHIKNETBG true
41.76.108.46
 unknown South Africa
327979 DIAMATRIXZA true
103.8.26.103
 unknown Malaysia
132241 SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY true
178.79.147.66
 unknown United Kingdom
63949 LINODE-APLinodeLLCUS true
212.237.5.209
 unknown Italy
31034 ARUBA-ASNIT true
176.104.106.96
 unknown Serbia
198371 NINETRS true
207.38.84.195
 unknown United States
30083 AS-30083-GO-DADDY-COM-LLCUS true
212.237.56.116
 unknown Italy
31034 ARUBA-ASNIT true
45.142.114.231
 unknown Germany
44066 DE-FIRSTCOLOwwwfirst-colonetDE true
203.114.109.124
 unknown Thailand
131293 TOT-LLI-AS-APTOTPublicCompanyLimitedTH true
210.57.217.132
 unknown Indonesia
38142 UNAIR-AS-IDUniversitasAirlanggaID true
58.227.42.236
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
185.184.25.237
 unknown Turkey
209711 MUVHOSTTR true
158.69.222.101
 unknown Canada
16276 OVHFR true
104.251.214.46
 unknown United States
54540 INCERO-HVVCUS true