Windows Analysis Report UioA2E9DBG.dll

Overview

General Information

Sample Name:	UioA2E9DBG.dll
Analysis ID:	532429
MD5:	6988533cf7cbdccd0ea429571e0441a9
SHA1:	27836d3e04a31548fa09ec8537ba50777a73a42a
SHA256:	8d6912a12fdccb3d6d55980c3b1fd20cc97a2736d3381e315657a3d6f2f8d1b3
Tags:	32dllexe
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Emotet

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Deletes files inside the Windows folder

Drops PE files to the windows directory (C:\Windows)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Connects to several IPs in different countries

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to call native functions

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Classification

Signatures

AV Detection:

Found malware configuration

Source: 0.2.loaddll32.exe.830000.0.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"]}

Multi AV Scanner detection for submitted file

Source: UioA2E9DBG.dll	Virustotal: Detection: 23%			Perma Link
Source: UioA2E9DBG.dll	ReversingLabs: Detection: 29%

Compliance:

Uses 32bit PE files

Source: UioA2E9DBG.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: UioA2E9DBG.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA3BA20 FindFirstFileExW,		0_2_6EA3BA20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA3BA20 FindFirstFileExW,		2_2_6EA3BA20

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 46.55.222.11:443
Source: Malware configuration extractor	IPs: 104.245.52.73:8080
Source: Malware configuration extractor	IPs: 41.76.108.46:8080
Source: Malware configuration extractor	IPs: 103.8.26.103:8080
Source: Malware configuration extractor	IPs: 185.184.25.237:8080
Source: Malware configuration extractor	IPs: 103.8.26.102:8080
Source: Malware configuration extractor	IPs: 203.114.109.124:443
Source: Malware configuration extractor	IPs: 45.118.115.99:8080
Source: Malware configuration extractor	IPs: 178.79.147.66:8080
Source: Malware configuration extractor	IPs: 58.227.42.236:80
Source: Malware configuration extractor	IPs: 45.118.135.203:7080
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 195.154.133.20:443
Source: Malware configuration extractor	IPs: 45.142.114.231:8080
Source: Malware configuration extractor	IPs: 212.237.5.209:443
Source: Malware configuration extractor	IPs: 207.38.84.195:8080
Source: Malware configuration extractor	IPs: 104.251.214.46:8080
Source: Malware configuration extractor	IPs: 212.237.17.99:8080
Source: Malware configuration extractor	IPs: 212.237.56.116:7080
Source: Malware configuration extractor	IPs: 216.158.226.206:443
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 158.69.222.101:443
Source: Malware configuration extractor	IPs: 107.182.225.142:8080
Source: Malware configuration extractor	IPs: 176.104.106.96:8080
Source: Malware configuration extractor	IPs: 81.0.236.90:443
Source: Malware configuration extractor	IPs: 50.116.54.215:443
Source: Malware configuration extractor	IPs: 138.185.72.26:8080
Source: Malware configuration extractor	IPs: 51.68.175.8:8080
Source: Malware configuration extractor	IPs: 210.57.217.132:8080

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 18

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View	ASN Name: ARUBA-ASNIT ARUBA-ASNIT

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View	IP Address: 212.237.17.99 212.237.17.99

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: loaddll32.exe, 00000000.00000002.627609391.0000000000A8B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 4.2.rundll32.exe.3084270.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.aaeef0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.27a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2cc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2790000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.3084270.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.aaeef0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.830000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.830000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2cc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2af4248.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.27a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2af4248.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2db0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.626711178.0000000002ADA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.626631642.0000000002790000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.627609391.0000000000A8B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.625242397.0000000002E96000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.609722465.0000000002875000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.611321700.000000000306A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.609690193.00000000027A0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.625153138.0000000002CC0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.627509669.0000000000830000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.611275948.0000000002DB0000.00000040.00000010.sdmp, type: MEMORY

System Summary:

Uses 32bit PE files

Source: UioA2E9DBG.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Sample file is different than original file name gathered from version info

Source: UioA2E9DBG.dll

Binary or memory string: OriginalFilenameYlncpiqzme.dll6 vs UioA2E9DBG.dll

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Uteaesuoyewsu\kffdjmqicgbnmom.ioj:Zone.Identifier

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA15980	0_2_6EA15980
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA16100	0_2_6EA16100
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA3AE28	0_2_6EA3AE28
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA41F65	0_2_6EA41F65
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA22C70	0_2_6EA22C70
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA12D10	0_2_6EA12D10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA2FD1F	0_2_6EA2FD1F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA31D50	0_2_6EA31D50
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA458EF	0_2_6EA458EF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA1E6B0	0_2_6EA1E6B0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA457CB	0_2_6EA457CB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA40569	0_2_6EA40569
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA19380	0_2_6EA19380
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA2C366	0_2_6EA2C366
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA440B7	0_2_6EA440B7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA2C132	0_2_6EA2C132
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA15980	2_2_6EA15980
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA16100	2_2_6EA16100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA3AE28	2_2_6EA3AE28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA41F65	2_2_6EA41F65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA22C70	2_2_6EA22C70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA12D10	2_2_6EA12D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA2FD1F	2_2_6EA2FD1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA31D50	2_2_6EA31D50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA458EF	2_2_6EA458EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA1E6B0	2_2_6EA1E6B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA457CB	2_2_6EA457CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA40569	2_2_6EA40569
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA19380	2_2_6EA19380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA2C366	2_2_6EA2C366
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA440B7	2_2_6EA440B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA2C132	2_2_6EA2C132
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DD06EF	4_2_02DD06EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DCED95	4_2_02DCED95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DC7EDD	4_2_02DC7EDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DD0AD3	4_2_02DD0AD3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DB54C0	4_2_02DB54C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DD20F8	4_2_02DD20F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DBE6FD	4_2_02DBE6FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DBBEF5	4_2_02DBBEF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DBA8E8	4_2_02DBA8E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DBC69B	4_2_02DBC69B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DBF699	4_2_02DBF699
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DBD899	4_2_02DBD899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DB3085	4_2_02DB3085
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DC3ABE	4_2_02DC3ABE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DBAEB9	4_2_02DBAEB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DCB0BA	4_2_02DCB0BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DC56A9	4_2_02DC56A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DB68AD	4_2_02DB68AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DC04A4	4_2_02DC04A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DBF4A5	4_2_02DBF4A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DC645F	4_2_02DC645F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DC604E	4_2_02DC604E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DCE478	4_2_02DCE478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DD1C71	4_2_02DD1C71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DD0C66	4_2_02DD0C66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DCBA18	4_2_02DCBA18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DD2C16	4_2_02DD2C16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DC1C12	4_2_02DC1C12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DBF20D	4_2_02DBF20D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DB3E3B	4_2_02DB3E3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DCCC3F	4_2_02DCCC3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DC0A37	4_2_02DC0A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DC0824	4_2_02DC0824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DCE7DA	4_2_02DCE7DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DC89DA	4_2_02DC89DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DC13DB	4_2_02DC13DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DB5DC3	4_2_02DB5DC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DB39C3	4_2_02DB39C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DC4DC5	4_2_02DC4DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DC0FC5	4_2_02DC0FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DB2DC5	4_2_02DB2DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DB1DF9	4_2_02DB1DF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DCD5FE	4_2_02DCD5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DB6BFE	4_2_02DB6BFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DC91F7	4_2_02DC91F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DBFBEF	4_2_02DBFBEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DBB7EC	4_2_02DBB7EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DD35E3	4_2_02DD35E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DB938F	4_2_02DB938F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DD1987	4_2_02DD1987
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DB7D87	4_2_02DB7D87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DBF984	4_2_02DBF984
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DB33A9	4_2_02DB33A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DC77A7	4_2_02DC77A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DCBFA1	4_2_02DCBFA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DB8D59	4_2_02DB8D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DB635F	4_2_02DB635F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DD2D4F	4_2_02DD2D4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DD314A	4_2_02DD314A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DB4F42	4_2_02DB4F42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DCC145	4_2_02DCC145
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DC5B7C	4_2_02DC5B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DB597D	4_2_02DB597D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DB2B7C	4_2_02DB2B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DB2176	4_2_02DB2176
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DCC772	4_2_02DCC772
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DB2575	4_2_02DB2575
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DB196D	4_2_02DB196D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DB996C	4_2_02DB996C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DCF561	4_2_02DCF561
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DB5166	4_2_02DB5166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DBDD66	4_2_02DBDD66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DD2560	4_2_02DD2560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DB9565	4_2_02DB9565
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DC8518	4_2_02DC8518
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DB8112	4_2_02DB8112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DB4716	4_2_02DB4716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DB5314	4_2_02DB5314
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DC710D	4_2_02DC710D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DCD10B	4_2_02DCD10B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DD3306	4_2_02DD3306
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DB7739	4_2_02DB7739
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DC473A	4_2_02DC473A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DC3130	4_2_02DC3130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DBE336	4_2_02DBE336
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DCCF2C	4_2_02DCCF2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DBB12E	4_2_02DBB12E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DB6125	4_2_02DB6125
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027B06EF	5_2_027B06EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027AED95	5_2_027AED95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027AE478	5_2_027AE478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027B1C71	5_2_027B1C71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027B0C66	5_2_027B0C66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027A645F	5_2_027A645F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027A604E	5_2_027A604E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02793E3B	5_2_02793E3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027ACC3F	5_2_027ACC3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027A0A37	5_2_027A0A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027A0824	5_2_027A0824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027ABA18	5_2_027ABA18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027A1C12	5_2_027A1C12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027B2C16	5_2_027B2C16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0279F20D	5_2_0279F20D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027B20F8	5_2_027B20F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0279E6FD	5_2_0279E6FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0279BEF5	5_2_0279BEF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0279A8E8	5_2_0279A8E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027A7EDD	5_2_027A7EDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027B0AD3	5_2_027B0AD3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027954C0	5_2_027954C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027AB0BA	5_2_027AB0BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0279AEB9	5_2_0279AEB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027A3ABE	5_2_027A3ABE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027A56A9	5_2_027A56A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027968AD	5_2_027968AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0279F4A5	5_2_0279F4A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027A04A4	5_2_027A04A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0279F699	5_2_0279F699
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0279D899	5_2_0279D899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0279C69B	5_2_0279C69B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02793085	5_2_02793085
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0279597D	5_2_0279597D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02792B7C	5_2_02792B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027A5B7C	5_2_027A5B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027AC772	5_2_027AC772
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02792575	5_2_02792575
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02792176	5_2_02792176
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0279196D	5_2_0279196D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0279996C	5_2_0279996C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027AF561	5_2_027AF561
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027B2560	5_2_027B2560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02799565	5_2_02799565
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02795166	5_2_02795166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0279DD66	5_2_0279DD66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02798D59	5_2_02798D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0279635F	5_2_0279635F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027B314A	5_2_027B314A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027B2D4F	5_2_027B2D4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02794F42	5_2_02794F42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027AC145	5_2_027AC145
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02797739	5_2_02797739
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027A473A	5_2_027A473A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027A3130	5_2_027A3130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0279E336	5_2_0279E336
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027ACF2C	5_2_027ACF2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0279B12E	5_2_0279B12E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02796125	5_2_02796125
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027A8518	5_2_027A8518
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02798112	5_2_02798112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02795314	5_2_02795314
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02794716	5_2_02794716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027AD10B	5_2_027AD10B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027A710D	5_2_027A710D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027B3306	5_2_027B3306
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02791DF9	5_2_02791DF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027AD5FE	5_2_027AD5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02796BFE	5_2_02796BFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027A91F7	5_2_027A91F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0279B7EC	5_2_0279B7EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0279FBEF	5_2_0279FBEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027B35E3	5_2_027B35E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027AE7DA	5_2_027AE7DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027A89DA	5_2_027A89DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027A13DB	5_2_027A13DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02795DC3	5_2_02795DC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027939C3	5_2_027939C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02792DC5	5_2_02792DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027A4DC5	5_2_027A4DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027A0FC5	5_2_027A0FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027933A9	5_2_027933A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027ABFA1	5_2_027ABFA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027A77A7	5_2_027A77A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0279938F	5_2_0279938F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027B1987	5_2_027B1987
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0279F984	5_2_0279F984
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02797D87	5_2_02797D87

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6EA24F90 appears 52 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6EA24F90 appears 52 times

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA11230 ntlbxpnmpq,		0_2_6EA11230
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA11230 ntlbxpnmpq,		2_2_6EA11230

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UioA2E9DBG.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UioA2E9DBG.dll,agrwqhxohbh
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UioA2E9DBG.dll,aoydsyidkopcdbcv
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Uteaesuoyewsu\kffdjmqicgbnmom.ioj",ArlfCURNcI
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UioA2E9DBG.dll,Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UioA2E9DBG.dll,agrwqhxohbh	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UioA2E9DBG.dll,aoydsyidkopcdbcv	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Uteaesuoyewsu\kffdjmqicgbnmom.ioj",ArlfCURNcI	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: UioA2E9DBG.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: UioA2E9DBG.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: UioA2E9DBG.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: UioA2E9DBG.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: UioA2E9DBG.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA24FE0 push ecx; ret	0_2_6EA24FF3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA473E1 push ecx; ret	0_2_6EA473F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA24FE0 push ecx; ret	2_2_6EA24FF3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA473E1 push ecx; ret	2_2_6EA473F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DB151C push ds; ret	4_2_02DB1527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DB150F push ds; ret	4_2_02DB1527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0279151C push ds; ret	5_2_02791527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0279150F push ds; ret	5_2_02791527

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006EA16134 second address: 000000006EA16168 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-08h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FB8E476BFE4h 0x0000000a mov edi, 00D66F8Ch 0x0000000f mov dword ptr [ebp-14h], edi 0x00000012 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006EA179F7 second address: 000000006EA17A0A instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FB8E4BD79CEh 0x00000007 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006EA17A0A second address: 000000006EA179F7 instructions: 0x00000000 rdtscp 0x00000003 mov ecx, dword ptr [esp+0Ch] 0x00000007 ror esi, 0Dh 0x0000000a mov eax, esi 0x0000000c pop esi 0x0000000d xor ecx, esp 0x0000000f call 00007FB8E4778707h 0x00000014 cmp ecx, dword ptr [6EA5D008h] 0x0000001a jne 00007FB8E476BFC3h 0x0000001c ret 0x0000001d mov esp, ebp 0x0000001f pop ebp 0x00000020 ret 0x00000021 mov cl, byte ptr [esi] 0x00000023 mov edi, eax 0x00000025 cmp cl, 00000061h 0x00000028 jc 00007FB8E476BFCFh 0x0000002a movzx eax, cl 0x0000002d add edi, FFFFFFE0h 0x00000030 add edi, eax 0x00000032 jmp 00007FB8E476C122h 0x00000037 mov eax, dword ptr [ebp-14h] 0x0000003a mov ecx, dword ptr [ebp-18h] 0x0000003d cdq 0x0000003e sub eax, edx 0x00000040 sar eax, 1 0x00000042 cmp eax, ecx 0x00000044 jl 00007FB8E476C18Eh 0x0000004a add ebx, 0000FFFFh 0x00000050 inc esi 0x00000051 test bx, bx 0x00000054 jne 00007FB8E476BE1Eh 0x0000005a mov eax, dword ptr [ebp-14h] 0x0000005d cmp eax, ecx 0x0000005f cmovle eax, ecx 0x00000062 mov ecx, edi 0x00000064 mov dword ptr [ebp-14h], eax 0x00000067 call 00007FB8E476D523h 0x0000006c push ebp 0x0000006d mov ebp, esp 0x0000006f and esp, FFFFFFF8h 0x00000072 sub esp, 0Ch 0x00000075 mov eax, dword ptr [6EA5D008h] 0x0000007a xor eax, esp 0x0000007c mov dword ptr [esp+08h], eax 0x00000080 push esi 0x00000081 mov esi, ecx 0x00000083 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006EA16134 second address: 000000006EA16168 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-08h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FB8E4BD79E4h 0x0000000a mov edi, 00D66F8Ch 0x0000000f mov dword ptr [ebp-14h], edi 0x00000012 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006EA179F7 second address: 000000006EA17A0A instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FB8E476BFCEh 0x00000007 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006EA17A0A second address: 000000006EA179F7 instructions: 0x00000000 rdtscp 0x00000003 mov ecx, dword ptr [esp+0Ch] 0x00000007 ror esi, 0Dh 0x0000000a mov eax, esi 0x0000000c pop esi 0x0000000d xor ecx, esp 0x0000000f call 00007FB8E4BE4107h 0x00000014 cmp ecx, dword ptr [6EA5D008h] 0x0000001a jne 00007FB8E4BD79C3h 0x0000001c ret 0x0000001d mov esp, ebp 0x0000001f pop ebp 0x00000020 ret 0x00000021 mov cl, byte ptr [esi] 0x00000023 mov edi, eax 0x00000025 cmp cl, 00000061h 0x00000028 jc 00007FB8E4BD79CFh 0x0000002a movzx eax, cl 0x0000002d add edi, FFFFFFE0h 0x00000030 add edi, eax 0x00000032 jmp 00007FB8E4BD7B22h 0x00000037 mov eax, dword ptr [ebp-14h] 0x0000003a mov ecx, dword ptr [ebp-18h] 0x0000003d cdq 0x0000003e sub eax, edx 0x00000040 sar eax, 1 0x00000042 cmp eax, ecx 0x00000044 jl 00007FB8E4BD7B8Eh 0x0000004a add ebx, 0000FFFFh 0x00000050 inc esi 0x00000051 test bx, bx 0x00000054 jne 00007FB8E4BD781Eh 0x0000005a mov eax, dword ptr [ebp-14h] 0x0000005d cmp eax, ecx 0x0000005f cmovle eax, ecx 0x00000062 mov ecx, edi 0x00000064 mov dword ptr [ebp-14h], eax 0x00000067 call 00007FB8E4BD8F23h 0x0000006c push ebp 0x0000006d mov ebp, esp 0x0000006f and esp, FFFFFFF8h 0x00000072 sub esp, 0Ch 0x00000075 mov eax, dword ptr [6EA5D008h] 0x0000007a xor eax, esp 0x0000007c mov dword ptr [esp+08h], eax 0x00000080 push esi 0x00000081 mov esi, ecx 0x00000083 rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006EA16134 second address: 000000006EA16168 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-08h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FB8E476BFE4h 0x0000000a mov edi, 00D66F8Ch 0x0000000f mov dword ptr [ebp-14h], edi 0x00000012 rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006EA179F7 second address: 000000006EA17A0A instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FB8E4BD79CEh 0x00000007 rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006EA17A0A second address: 000000006EA179F7 instructions: 0x00000000 rdtscp 0x00000003 mov ecx, dword ptr [esp+0Ch] 0x00000007 ror esi, 0Dh 0x0000000a mov eax, esi 0x0000000c pop esi 0x0000000d xor ecx, esp 0x0000000f call 00007FB8E4778707h 0x00000014 cmp ecx, dword ptr [6EA5D008h] 0x0000001a jne 00007FB8E476BFC3h 0x0000001c ret 0x0000001d mov esp, ebp 0x0000001f pop ebp 0x00000020 ret 0x00000021 mov cl, byte ptr [esi] 0x00000023 mov edi, eax 0x00000025 cmp cl, 00000061h 0x00000028 jc 00007FB8E476BFCFh 0x0000002a movzx eax, cl 0x0000002d add edi, FFFFFFE0h 0x00000030 add edi, eax 0x00000032 jmp 00007FB8E476C122h 0x00000037 mov eax, dword ptr [ebp-14h] 0x0000003a mov ecx, dword ptr [ebp-18h] 0x0000003d cdq 0x0000003e sub eax, edx 0x00000040 sar eax, 1 0x00000042 cmp eax, ecx 0x00000044 jl 00007FB8E476C18Eh 0x0000004a add ebx, 0000FFFFh 0x00000050 inc esi 0x00000051 test bx, bx 0x00000054 jne 00007FB8E476BE1Eh 0x0000005a mov eax, dword ptr [ebp-14h] 0x0000005d cmp eax, ecx 0x0000005f cmovle eax, ecx 0x00000062 mov ecx, edi 0x00000064 mov dword ptr [ebp-14h], eax 0x00000067 call 00007FB8E476D523h 0x0000006c push ebp 0x0000006d mov ebp, esp 0x0000006f and esp, FFFFFFF8h 0x00000072 sub esp, 0Ch 0x00000075 mov eax, dword ptr [6EA5D008h] 0x0000007a xor eax, esp 0x0000007c mov dword ptr [esp+08h], eax 0x00000080 push esi 0x00000081 mov esi, ecx 0x00000083 rdtscp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA16100 mov eax, dword ptr fs:[00000030h]	0_2_6EA16100
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA16100 mov eax, dword ptr fs:[00000030h]	0_2_6EA16100
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA34F94 mov eax, dword ptr fs:[00000030h]	0_2_6EA34F94
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA17A30 mov eax, dword ptr fs:[00000030h]	0_2_6EA17A30
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA3B715 mov eax, dword ptr fs:[00000030h]	0_2_6EA3B715
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA27334 mov esi, dword ptr fs:[00000030h]	0_2_6EA27334
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA16100 mov eax, dword ptr fs:[00000030h]	2_2_6EA16100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA16100 mov eax, dword ptr fs:[00000030h]	2_2_6EA16100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA34F94 mov eax, dword ptr fs:[00000030h]	2_2_6EA34F94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA17A30 mov eax, dword ptr fs:[00000030h]	2_2_6EA17A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA3B715 mov eax, dword ptr fs:[00000030h]	2_2_6EA3B715
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA27334 mov esi, dword ptr fs:[00000030h]	2_2_6EA27334
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02DC4315 mov eax, dword ptr fs:[00000030h]	4_2_02DC4315
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_027A4315 mov eax, dword ptr fs:[00000030h]	5_2_027A4315

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA24E67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6EA24E67
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA2461A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6EA2461A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA2D436 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6EA2D436
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA24E67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6EA24E67
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA2461A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6EA2461A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA2D436 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6EA2D436

Source: rundll32.exe, 0000000B.00000002.684425062.0000000003140000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: rundll32.exe, 0000000B.00000002.684425062.0000000003140000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 0000000B.00000002.684425062.0000000003140000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 0000000B.00000002.684425062.0000000003140000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6EA44EAC
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6EA3CE41
Source: C:\Windows\System32\loaddll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_6EA44F7F
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6EA44C7C
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_6EA44DA4
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_6EA44A27
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6EA448B6
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6EA4480D
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6EA3C982
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6EA4499C
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6EA44901
Source: C:\Windows\System32\loaddll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_6EA44610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	2_2_6EA44EAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	2_2_6EA3CE41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_6EA44F7F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	2_2_6EA44C7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_6EA44DA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_6EA44A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	2_2_6EA448B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	2_2_6EA4480D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	2_2_6EA3C982
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	2_2_6EA4499C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	2_2_6EA44901
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	2_2_6EA44610

IP	Domain	Country	ASN	ASN Name	Malicious
195.154.133.20	unknown	France	12876	OnlineSASFR	true
212.237.17.99	unknown	Italy	31034	ARUBA-ASNIT	true
110.232.117.186	unknown	Australia	56038	RACKCORP-APRackCorpAU	true
104.245.52.73	unknown	United States	63251	METRO-WIRELESSUS	true
138.185.72.26	unknown	Brazil	264343	EmpasoftLtdaMeBR	true
81.0.236.90	unknown	Czech Republic	15685	CASABLANCA-ASInternetCollocationProviderCZ	true
45.118.115.99	unknown	Indonesia	131717	IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID	true
103.75.201.2	unknown	Thailand	133496	CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH	true
216.158.226.206	unknown	United States	19318	IS-AS-1US	true
107.182.225.142	unknown	United States	32780	HOSTINGSERVICES-INCUS	true
45.118.135.203	unknown	Japan	63949	LINODE-APLinodeLLCUS	true
50.116.54.215	unknown	United States	63949	LINODE-APLinodeLLCUS	true
51.68.175.8	unknown	France	16276	OVHFR	true
103.8.26.102	unknown	Malaysia	132241	SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY	true
46.55.222.11	unknown	Bulgaria	34841	BALCHIKNETBG	true
41.76.108.46	unknown	South Africa	327979	DIAMATRIXZA	true
103.8.26.103	unknown	Malaysia	132241	SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY	true
178.79.147.66	unknown	United Kingdom	63949	LINODE-APLinodeLLCUS	true
212.237.5.209	unknown	Italy	31034	ARUBA-ASNIT	true
176.104.106.96	unknown	Serbia	198371	NINETRS	true
207.38.84.195	unknown	United States	30083	AS-30083-GO-DADDY-COM-LLCUS	true
212.237.56.116	unknown	Italy	31034	ARUBA-ASNIT	true
45.142.114.231	unknown	Germany	44066	DE-FIRSTCOLOwwwfirst-colonetDE	true
203.114.109.124	unknown	Thailand	131293	TOT-LLI-AS-APTOTPublicCompanyLimitedTH	true
210.57.217.132	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
58.227.42.236	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
185.184.25.237	unknown	Turkey	209711	MUVHOSTTR	true
158.69.222.101	unknown	Canada	16276	OVHFR	true
104.251.214.46	unknown	United States	54540	INCERO-HVVCUS	true

ID:	532429
Product:	CloudBasic
Start time:	09:31:02
Start date:	02.12.2021
Sample:	UioA2E9DBG.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	6988533cf7cbdccd0ea429571e0441a9
SHA1:	27836d3e04a31548fa09ec8537ba50777a73a42a
SHA256:	8d6912a12fdccb3d6d55980c3b1fd20cc97a2736d3381e315657a3d6f2f8d1b3
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Windows Analysis Report UioA2E9DBG.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs