Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report UioA2E9DBG.dll

Overview

General Information

Sample Name:UioA2E9DBG.dll
Analysis ID:532429
MD5:6988533cf7cbdccd0ea429571e0441a9
SHA1:27836d3e04a31548fa09ec8537ba50777a73a42a
SHA256:8d6912a12fdccb3d6d55980c3b1fd20cc97a2736d3381e315657a3d6f2f8d1b3
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Emotet
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Deletes files inside the Windows folder
Drops PE files to the windows directory (C:\Windows)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Connects to several IPs in different countries
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 4828 cmdline: loaddll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 7044 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 7148 cmdline: rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6704 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7120 cmdline: rundll32.exe C:\Users\user\Desktop\UioA2E9DBG.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6856 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Uteaesuoyewsu\kffdjmqicgbnmom.ioj",ArlfCURNcI MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4752 cmdline: rundll32.exe C:\Users\user\Desktop\UioA2E9DBG.dll,agrwqhxohbh MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 3880 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5760 cmdline: rundll32.exe C:\Users\user\Desktop\UioA2E9DBG.dll,aoydsyidkopcdbcv MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 4436 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 2944 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 4972 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.626711178.0000000002ADA000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000005.00000002.626631642.0000000002790000.00000040.00000010.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000000.00000002.627609391.0000000000A8B000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000002.00000002.625242397.0000000002E96000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000003.00000002.609722465.0000000002875000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.rundll32.exe.3084270.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              0.2.loaddll32.exe.aaeef0.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                3.2.rundll32.exe.27a0000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  2.2.rundll32.exe.2cc0000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    5.2.rundll32.exe.2790000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 11 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.loaddll32.exe.830000.0.unpackMalware Configuration Extractor: Emotet {"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: UioA2E9DBG.dllVirustotal: Detection: 23%Perma Link
                      Source: UioA2E9DBG.dllReversingLabs: Detection: 29%
                      Source: UioA2E9DBG.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: UioA2E9DBG.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA3BA20 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA3BA20 FindFirstFileExW,

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 46.55.222.11:443
                      Source: Malware configuration extractorIPs: 104.245.52.73:8080
                      Source: Malware configuration extractorIPs: 41.76.108.46:8080
                      Source: Malware configuration extractorIPs: 103.8.26.103:8080
                      Source: Malware configuration extractorIPs: 185.184.25.237:8080
                      Source: Malware configuration extractorIPs: 103.8.26.102:8080
                      Source: Malware configuration extractorIPs: 203.114.109.124:443
                      Source: Malware configuration extractorIPs: 45.118.115.99:8080
                      Source: Malware configuration extractorIPs: 178.79.147.66:8080
                      Source: Malware configuration extractorIPs: 58.227.42.236:80
                      Source: Malware configuration extractorIPs: 45.118.135.203:7080
                      Source: Malware configuration extractorIPs: 103.75.201.2:443
                      Source: Malware configuration extractorIPs: 195.154.133.20:443
                      Source: Malware configuration extractorIPs: 45.142.114.231:8080
                      Source: Malware configuration extractorIPs: 212.237.5.209:443
                      Source: Malware configuration extractorIPs: 207.38.84.195:8080
                      Source: Malware configuration extractorIPs: 104.251.214.46:8080
                      Source: Malware configuration extractorIPs: 212.237.17.99:8080
                      Source: Malware configuration extractorIPs: 212.237.56.116:7080
                      Source: Malware configuration extractorIPs: 216.158.226.206:443
                      Source: Malware configuration extractorIPs: 110.232.117.186:8080
                      Source: Malware configuration extractorIPs: 158.69.222.101:443
                      Source: Malware configuration extractorIPs: 107.182.225.142:8080
                      Source: Malware configuration extractorIPs: 176.104.106.96:8080
                      Source: Malware configuration extractorIPs: 81.0.236.90:443
                      Source: Malware configuration extractorIPs: 50.116.54.215:443
                      Source: Malware configuration extractorIPs: 138.185.72.26:8080
                      Source: Malware configuration extractorIPs: 51.68.175.8:8080
                      Source: Malware configuration extractorIPs: 210.57.217.132:8080
                      Source: unknownNetwork traffic detected: IP country count 18
                      Source: Joe Sandbox ViewASN Name: OnlineSASFR OnlineSASFR
                      Source: Joe Sandbox ViewASN Name: ARUBA-ASNIT ARUBA-ASNIT
                      Source: Joe Sandbox ViewIP Address: 195.154.133.20 195.154.133.20
                      Source: Joe Sandbox ViewIP Address: 212.237.17.99 212.237.17.99
                      Source: loaddll32.exe, 00000000.00000002.627609391.0000000000A8B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 4.2.rundll32.exe.3084270.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.aaeef0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.27a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.2cc0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.2790000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.2790000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.3084270.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.aaeef0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2db0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.830000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.830000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.2cc0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.2af4248.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.27a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.2af4248.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2db0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.626711178.0000000002ADA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.626631642.0000000002790000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.627609391.0000000000A8B000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.625242397.0000000002E96000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.609722465.0000000002875000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.611321700.000000000306A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.609690193.00000000027A0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.625153138.0000000002CC0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.627509669.0000000000830000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.611275948.0000000002DB0000.00000040.00000010.sdmp, type: MEMORY
                      Source: UioA2E9DBG.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: UioA2E9DBG.dllBinary or memory string: OriginalFilenameYlncpiqzme.dll6 vs UioA2E9DBG.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Uteaesuoyewsu\kffdjmqicgbnmom.ioj:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Uteaesuoyewsu\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA15980
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA16100
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA3AE28
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA41F65
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA22C70
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA12D10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA2FD1F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA31D50
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA458EF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA1E6B0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA457CB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA40569
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA19380
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA2C366
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA440B7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA2C132
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA15980
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA16100
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA3AE28
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA41F65
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA22C70
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA12D10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA2FD1F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA31D50
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA458EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA1E6B0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA457CB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA40569
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA19380
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA2C366
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA440B7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA2C132
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DD06EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DCED95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DC7EDD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DD0AD3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DB54C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DD20F8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DBE6FD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DBBEF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DBA8E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DBC69B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DBF699
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DBD899
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DB3085
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DC3ABE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DBAEB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DCB0BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DC56A9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DB68AD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DC04A4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DBF4A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DC645F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DC604E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DCE478
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DD1C71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DD0C66
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DCBA18
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DD2C16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DC1C12
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DBF20D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DB3E3B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DCCC3F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DC0A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DC0824
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DCE7DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DC89DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DC13DB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DB5DC3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DB39C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DC4DC5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DC0FC5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DB2DC5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DB1DF9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DCD5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DB6BFE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DC91F7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DBFBEF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DBB7EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DD35E3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DB938F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DD1987
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DB7D87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DBF984
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DB33A9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DC77A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DCBFA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DB8D59
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DB635F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DD2D4F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DD314A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DB4F42
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DCC145
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DC5B7C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DB597D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DB2B7C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DB2176
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DCC772
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DB2575
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DB196D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DB996C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DCF561
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DB5166
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DBDD66
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DD2560
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DB9565
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DC8518
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DB8112
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DB4716
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DB5314
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DC710D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DCD10B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DD3306
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DB7739
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DC473A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DC3130
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DBE336
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DCCF2C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DBB12E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DB6125
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027B06EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027AED95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027AE478
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027B1C71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027B0C66
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027A645F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027A604E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02793E3B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027ACC3F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027A0A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027A0824
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027ABA18
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027A1C12
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027B2C16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0279F20D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027B20F8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0279E6FD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0279BEF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0279A8E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027A7EDD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027B0AD3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027954C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027AB0BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0279AEB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027A3ABE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027A56A9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027968AD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0279F4A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027A04A4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0279F699
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0279D899
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0279C69B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02793085
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0279597D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02792B7C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027A5B7C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027AC772
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02792575
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02792176
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0279196D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0279996C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027AF561
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027B2560
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02799565
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02795166
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0279DD66
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02798D59
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0279635F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027B314A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027B2D4F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02794F42
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027AC145
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02797739
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027A473A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027A3130
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0279E336
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027ACF2C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0279B12E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02796125
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027A8518
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02798112
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02795314
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02794716
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027AD10B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027A710D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027B3306
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02791DF9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027AD5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02796BFE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027A91F7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0279B7EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0279FBEF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027B35E3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027AE7DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027A89DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027A13DB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02795DC3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027939C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02792DC5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027A4DC5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027A0FC5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027933A9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027ABFA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027A77A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0279938F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027B1987
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0279F984
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02797D87
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6EA24F90 appears 52 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6EA24F90 appears 52 times
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA11230 ntlbxpnmpq,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA11230 ntlbxpnmpq,
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 98%
                      Source: UioA2E9DBG.dllVirustotal: Detection: 23%
                      Source: UioA2E9DBG.dllReversingLabs: Detection: 29%
                      Source: UioA2E9DBG.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UioA2E9DBG.dll,Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UioA2E9DBG.dll,Control_RunDLL
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UioA2E9DBG.dll,agrwqhxohbh
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UioA2E9DBG.dll,aoydsyidkopcdbcv
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Uteaesuoyewsu\kffdjmqicgbnmom.ioj",ArlfCURNcI
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UioA2E9DBG.dll,Control_RunDLL
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UioA2E9DBG.dll,agrwqhxohbh
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UioA2E9DBG.dll,aoydsyidkopcdbcv
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Uteaesuoyewsu\kffdjmqicgbnmom.ioj",ArlfCURNcI
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA15980 GetTickCount64,FindResourceA,
                      Source: classification engineClassification label: mal76.troj.evad.winDLL@22/0@0/29
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA1AF10 CoCreateInstance,OleRun,
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: UioA2E9DBG.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: UioA2E9DBG.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: UioA2E9DBG.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: UioA2E9DBG.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: UioA2E9DBG.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: UioA2E9DBG.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: UioA2E9DBG.dllStatic PE information: real checksum: 0x75999 should be: 0x74f7b
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA24FE0 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA473E1 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA24FE0 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA473E1 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DB151C push ds; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DB150F push ds; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0279151C push ds; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0279150F push ds; ret
                      Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Uteaesuoyewsu\kffdjmqicgbnmom.iojJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Uteaesuoyewsu\kffdjmqicgbnmom.ioj:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Tries to detect virtualization through RDTSC time measurementsShow sources
                      Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 000000006EA16134 second address: 000000006EA16168 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-08h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FB8E476BFE4h 0x0000000a mov edi, 00D66F8Ch 0x0000000f mov dword ptr [ebp-14h], edi 0x00000012 rdtscp
                      Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 000000006EA179F7 second address: 000000006EA17A0A instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FB8E4BD79CEh 0x00000007 rdtscp
                      Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 000000006EA17A0A second address: 000000006EA179F7 instructions: 0x00000000 rdtscp 0x00000003 mov ecx, dword ptr [esp+0Ch] 0x00000007 ror esi, 0Dh 0x0000000a mov eax, esi 0x0000000c pop esi 0x0000000d xor ecx, esp 0x0000000f call 00007FB8E4778707h 0x00000014 cmp ecx, dword ptr [6EA5D008h] 0x0000001a jne 00007FB8E476BFC3h 0x0000001c ret 0x0000001d mov esp, ebp 0x0000001f pop ebp 0x00000020 ret 0x00000021 mov cl, byte ptr [esi] 0x00000023 mov edi, eax 0x00000025 cmp cl, 00000061h 0x00000028 jc 00007FB8E476BFCFh 0x0000002a movzx eax, cl 0x0000002d add edi, FFFFFFE0h 0x00000030 add edi, eax 0x00000032 jmp 00007FB8E476C122h 0x00000037 mov eax, dword ptr [ebp-14h] 0x0000003a mov ecx, dword ptr [ebp-18h] 0x0000003d cdq 0x0000003e sub eax, edx 0x00000040 sar eax, 1 0x00000042 cmp eax, ecx 0x00000044 jl 00007FB8E476C18Eh 0x0000004a add ebx, 0000FFFFh 0x00000050 inc esi 0x00000051 test bx, bx 0x00000054 jne 00007FB8E476BE1Eh 0x0000005a mov eax, dword ptr [ebp-14h] 0x0000005d cmp eax, ecx 0x0000005f cmovle eax, ecx 0x00000062 mov ecx, edi 0x00000064 mov dword ptr [ebp-14h], eax 0x00000067 call 00007FB8E476D523h 0x0000006c push ebp 0x0000006d mov ebp, esp 0x0000006f and esp, FFFFFFF8h 0x00000072 sub esp, 0Ch 0x00000075 mov eax, dword ptr [6EA5D008h] 0x0000007a xor eax, esp 0x0000007c mov dword ptr [esp+08h], eax 0x00000080 push esi 0x00000081 mov esi, ecx 0x00000083 rdtscp
                      Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 000000006EA16134 second address: 000000006EA16168 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-08h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FB8E4BD79E4h 0x0000000a mov edi, 00D66F8Ch 0x0000000f mov dword ptr [ebp-14h], edi 0x00000012 rdtscp
                      Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 000000006EA179F7 second address: 000000006EA17A0A instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FB8E476BFCEh 0x00000007 rdtscp
                      Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 000000006EA17A0A second address: 000000006EA179F7 instructions: 0x00000000 rdtscp 0x00000003 mov ecx, dword ptr [esp+0Ch] 0x00000007 ror esi, 0Dh 0x0000000a mov eax, esi 0x0000000c pop esi 0x0000000d xor ecx, esp 0x0000000f call 00007FB8E4BE4107h 0x00000014 cmp ecx, dword ptr [6EA5D008h] 0x0000001a jne 00007FB8E4BD79C3h 0x0000001c ret 0x0000001d mov esp, ebp 0x0000001f pop ebp 0x00000020 ret 0x00000021 mov cl, byte ptr [esi] 0x00000023 mov edi, eax 0x00000025 cmp cl, 00000061h 0x00000028 jc 00007FB8E4BD79CFh 0x0000002a movzx eax, cl 0x0000002d add edi, FFFFFFE0h 0x00000030 add edi, eax 0x00000032 jmp 00007FB8E4BD7B22h 0x00000037 mov eax, dword ptr [ebp-14h] 0x0000003a mov ecx, dword ptr [ebp-18h] 0x0000003d cdq 0x0000003e sub eax, edx 0x00000040 sar eax, 1 0x00000042 cmp eax, ecx 0x00000044 jl 00007FB8E4BD7B8Eh 0x0000004a add ebx, 0000FFFFh 0x00000050 inc esi 0x00000051 test bx, bx 0x00000054 jne 00007FB8E4BD781Eh 0x0000005a mov eax, dword ptr [ebp-14h] 0x0000005d cmp eax, ecx 0x0000005f cmovle eax, ecx 0x00000062 mov ecx, edi 0x00000064 mov dword ptr [ebp-14h], eax 0x00000067 call 00007FB8E4BD8F23h 0x0000006c push ebp 0x0000006d mov ebp, esp 0x0000006f and esp, FFFFFFF8h 0x00000072 sub esp, 0Ch 0x00000075 mov eax, dword ptr [6EA5D008h] 0x0000007a xor eax, esp 0x0000007c mov dword ptr [esp+08h], eax 0x00000080 push esi 0x00000081 mov esi, ecx 0x00000083 rdtscp
                      Source: C:\Windows\System32\loaddll32.exeRDTSC instruction interceptor: First address: 000000006EA16134 second address: 000000006EA16168 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-08h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FB8E476BFE4h 0x0000000a mov edi, 00D66F8Ch 0x0000000f mov dword ptr [ebp-14h], edi 0x00000012 rdtscp
                      Source: C:\Windows\System32\loaddll32.exeRDTSC instruction interceptor: First address: 000000006EA179F7 second address: 000000006EA17A0A instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FB8E4BD79CEh 0x00000007 rdtscp
                      Source: C:\Windows\System32\loaddll32.exeRDTSC instruction interceptor: First address: 000000006EA17A0A second address: 000000006EA179F7 instructions: 0x00000000 rdtscp 0x00000003 mov ecx, dword ptr [esp+0Ch] 0x00000007 ror esi, 0Dh 0x0000000a mov eax, esi 0x0000000c pop esi 0x0000000d xor ecx, esp 0x0000000f call 00007FB8E4778707h 0x00000014 cmp ecx, dword ptr [6EA5D008h] 0x0000001a jne 00007FB8E476BFC3h 0x0000001c ret 0x0000001d mov esp, ebp 0x0000001f pop ebp 0x00000020 ret 0x00000021 mov cl, byte ptr [esi] 0x00000023 mov edi, eax 0x00000025 cmp cl, 00000061h 0x00000028 jc 00007FB8E476BFCFh 0x0000002a movzx eax, cl 0x0000002d add edi, FFFFFFE0h 0x00000030 add edi, eax 0x00000032 jmp 00007FB8E476C122h 0x00000037 mov eax, dword ptr [ebp-14h] 0x0000003a mov ecx, dword ptr [ebp-18h] 0x0000003d cdq 0x0000003e sub eax, edx 0x00000040 sar eax, 1 0x00000042 cmp eax, ecx 0x00000044 jl 00007FB8E476C18Eh 0x0000004a add ebx, 0000FFFFh 0x00000050 inc esi 0x00000051 test bx, bx 0x00000054 jne 00007FB8E476BE1Eh 0x0000005a mov eax, dword ptr [ebp-14h] 0x0000005d cmp eax, ecx 0x0000005f cmovle eax, ecx 0x00000062 mov ecx, edi 0x00000064 mov dword ptr [ebp-14h], eax 0x00000067 call 00007FB8E476D523h 0x0000006c push ebp 0x0000006d mov ebp, esp 0x0000006f and esp, FFFFFFF8h 0x00000072 sub esp, 0Ch 0x00000075 mov eax, dword ptr [6EA5D008h] 0x0000007a xor eax, esp 0x0000007c mov dword ptr [esp+08h], eax 0x00000080 push esi 0x00000081 mov esi, ecx 0x00000083 rdtscp
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA16100 rdtscp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA3BA20 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA3BA20 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA24E67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA16100 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA16100 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA34F94 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA17A30 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA3B715 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA27334 mov esi, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA16100 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA16100 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA34F94 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA17A30 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA3B715 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA27334 mov esi, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02DC4315 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027A4315 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA2744C GetProcessHeap,HeapFree,
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA16100 rdtscp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA24E67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA2461A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA2D436 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA24E67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA2461A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EA2D436 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",#1
                      Source: rundll32.exe, 0000000B.00000002.684425062.0000000003140000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: rundll32.exe, 0000000B.00000002.684425062.0000000003140000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: rundll32.exe, 0000000B.00000002.684425062.0000000003140000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: rundll32.exe, 0000000B.00000002.684425062.0000000003140000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA24C86 cpuid
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA24FF7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 4.2.rundll32.exe.3084270.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.aaeef0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.27a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.2cc0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.2790000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.2790000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.3084270.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.aaeef0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2db0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.830000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.830000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.2cc0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.2af4248.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.27a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.2af4248.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2db0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.626711178.0000000002ADA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.626631642.0000000002790000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.627609391.0000000000A8B000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.625242397.0000000002E96000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.609722465.0000000002875000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.611321700.000000000306A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.609690193.00000000027A0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.625153138.0000000002CC0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.627509669.0000000000830000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.611275948.0000000002DB0000.00000040.00000010.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Masquerading2Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemorySecurity Software Discovery13Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Hidden Files and Directories1NTDSFile and Directory Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsSystem Information Discovery123SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonRundll321Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsFile Deletion1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 532429 Sample: UioA2E9DBG.dll Startdate: 02/12/2021 Architecture: WINDOWS Score: 76 33 210.57.217.132 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->33 35 203.114.109.124 TOT-LLI-AS-APTOTPublicCompanyLimitedTH Thailand 2->35 37 27 other IPs or domains 2->37 39 Found malware configuration 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected Emotet 2->43 45 C2 URLs / IPs found in malware configuration 2->45 9 loaddll32.exe 1 2->9         started        12 svchost.exe 1 2->12         started        signatures3 process4 signatures5 47 Tries to detect virtualization through RDTSC time measurements 9->47 14 rundll32.exe 2 9->14         started        17 cmd.exe 1 9->17         started        19 rundll32.exe 9->19         started        21 2 other processes 9->21 process6 signatures7 49 Tries to detect virtualization through RDTSC time measurements 14->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->51 23 rundll32.exe 14->23         started        25 rundll32.exe 17->25         started        27 rundll32.exe 19->27         started        29 rundll32.exe 21->29         started        process8 process9 31 rundll32.exe 25->31         started       

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      UioA2E9DBG.dll23%VirustotalBrowse
                      UioA2E9DBG.dll30%ReversingLabsWin32.Trojan.Fragtor

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      0.2.loaddll32.exe.830000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      4.2.rundll32.exe.2db0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      2.2.rundll32.exe.2cc0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      5.2.rundll32.exe.2790000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      3.2.rundll32.exe.27a0000.0.unpack100%AviraHEUR/AGEN.1110387Download File

                      Domains

                      No Antivirus matches

                      URLs

                      No Antivirus matches

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public

                      IPDomainCountryFlagASNASN NameMalicious
                      195.154.133.20
                      		unknownFrance
                      		12876OnlineSASFRtrue
                      212.237.17.99
                      		unknownItaly
                      		31034ARUBA-ASNITtrue
                      110.232.117.186
                      		unknownAustralia
                      		56038RACKCORP-APRackCorpAUtrue
                      104.245.52.73
                      		unknownUnited States
                      		63251METRO-WIRELESSUStrue
                      138.185.72.26
                      		unknownBrazil
                      		264343EmpasoftLtdaMeBRtrue
                      81.0.236.90
                      		unknownCzech Republic
                      		15685CASABLANCA-ASInternetCollocationProviderCZtrue
                      45.118.115.99
                      		unknownIndonesia
                      		131717IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaIDtrue
                      103.75.201.2
                      		unknownThailand
                      		133496CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTHtrue
                      216.158.226.206
                      		unknownUnited States
                      		19318IS-AS-1UStrue
                      107.182.225.142
                      		unknownUnited States
                      		32780HOSTINGSERVICES-INCUStrue
                      45.118.135.203
                      		unknownJapan63949LINODE-APLinodeLLCUStrue
                      50.116.54.215
                      		unknownUnited States
                      		63949LINODE-APLinodeLLCUStrue
                      51.68.175.8
                      		unknownFrance
                      		16276OVHFRtrue
                      103.8.26.102
                      		unknownMalaysia
                      		132241SKSATECH1-MYSKSATECHNOLOGYSDNBHDMYtrue
                      46.55.222.11
                      		unknownBulgaria
                      		34841BALCHIKNETBGtrue
                      41.76.108.46
                      		unknownSouth Africa
                      		327979DIAMATRIXZAtrue
                      103.8.26.103
                      		unknownMalaysia
                      		132241SKSATECH1-MYSKSATECHNOLOGYSDNBHDMYtrue
                      178.79.147.66
                      		unknownUnited Kingdom
                      		63949LINODE-APLinodeLLCUStrue
                      212.237.5.209
                      		unknownItaly
                      		31034ARUBA-ASNITtrue
                      176.104.106.96
                      		unknownSerbia
                      		198371NINETRStrue
                      207.38.84.195
                      		unknownUnited States
                      		30083AS-30083-GO-DADDY-COM-LLCUStrue
                      212.237.56.116
                      		unknownItaly
                      		31034ARUBA-ASNITtrue
                      45.142.114.231
                      		unknownGermany
                      		44066DE-FIRSTCOLOwwwfirst-colonetDEtrue
                      203.114.109.124
                      		unknownThailand
                      		131293TOT-LLI-AS-APTOTPublicCompanyLimitedTHtrue
                      210.57.217.132
                      		unknownIndonesia
                      		38142UNAIR-AS-IDUniversitasAirlanggaIDtrue
                      58.227.42.236
                      		unknownKorea Republic of
                      		9318SKB-ASSKBroadbandCoLtdKRtrue
                      185.184.25.237
                      		unknownTurkey
                      		209711MUVHOSTTRtrue
                      158.69.222.101
                      		unknownCanada
                      		16276OVHFRtrue
                      104.251.214.46
                      		unknownUnited States
                      		54540INCERO-HVVCUStrue

                      General Information

                      Joe Sandbox Version:34.0.0 Boulder Opal
                      Analysis ID:532429
                      Start date:02.12.2021
                      Start time:09:31:02
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 9m 25s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Sample file name:UioA2E9DBG.dll
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Run name:Run with higher sleep bypass
                      Number of analysed new started processes analysed:16
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal76.troj.evad.winDLL@22/0@0/29
                      EGA Information:Failed
                      HDC Information:
                      • Successful, ratio: 14.1% (good quality ratio 13.5%)
                      • Quality average: 71.8%
                      • Quality standard deviation: 25.2%
                      HCA Information:
                      • Successful, ratio: 70%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Sleeps bigger than 120000ms are automatically reduced to 1000ms
                      • Found application associated with file extension: .dll
                      Warnings:
                      Show All
                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe
                      • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com, arc.msn.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      195.154.133.20916Q89rlYD.dllGet hashmaliciousBrowse
                        9izNuvE61W.dllGet hashmaliciousBrowse
                          P5LROPCURK.dllGet hashmaliciousBrowse
                            TYLNb8VvnmYA.dllGet hashmaliciousBrowse
                              TYLNb8VvnmYA.dllGet hashmaliciousBrowse
                                snBYiBAMB2.dllGet hashmaliciousBrowse
                                  6zAcNlJXo7.dllGet hashmaliciousBrowse
                                    6zAcNlJXo7.dllGet hashmaliciousBrowse
                                      mal.dllGet hashmaliciousBrowse
                                        mal2.dllGet hashmaliciousBrowse
                                          mal.dllGet hashmaliciousBrowse
                                            mal2.dllGet hashmaliciousBrowse
                                              2gyA5uNl6VPQUA.dllGet hashmaliciousBrowse
                                                2gyA5uNl6VPQUA.dllGet hashmaliciousBrowse
                                                  9sQccNfqAR.dllGet hashmaliciousBrowse
                                                    FILE_464863409880121918.xlsmGet hashmaliciousBrowse
                                                      9sQccNfqAR.dllGet hashmaliciousBrowse
                                                        t3XtgyQEoe.dllGet hashmaliciousBrowse
                                                          t3XtgyQEoe.dllGet hashmaliciousBrowse
                                                            212.237.17.99UioA2E9DBG.dllGet hashmaliciousBrowse
                                                              916Q89rlYD.dllGet hashmaliciousBrowse
                                                                9izNuvE61W.dllGet hashmaliciousBrowse
                                                                  P5LROPCURK.dllGet hashmaliciousBrowse
                                                                    TYLNb8VvnmYA.dllGet hashmaliciousBrowse
                                                                      TYLNb8VvnmYA.dllGet hashmaliciousBrowse
                                                                        snBYiBAMB2.dllGet hashmaliciousBrowse
                                                                          6zAcNlJXo7.dllGet hashmaliciousBrowse
                                                                            6zAcNlJXo7.dllGet hashmaliciousBrowse
                                                                              mal.dllGet hashmaliciousBrowse
                                                                                mal2.dllGet hashmaliciousBrowse
                                                                                  mal.dllGet hashmaliciousBrowse
                                                                                    mal2.dllGet hashmaliciousBrowse
                                                                                      2gyA5uNl6VPQUA.dllGet hashmaliciousBrowse
                                                                                        2gyA5uNl6VPQUA.dllGet hashmaliciousBrowse
                                                                                          9sQccNfqAR.dllGet hashmaliciousBrowse
                                                                                            FILE_464863409880121918.xlsmGet hashmaliciousBrowse
                                                                                              9sQccNfqAR.dllGet hashmaliciousBrowse
                                                                                                t3XtgyQEoe.dllGet hashmaliciousBrowse
                                                                                                  t3XtgyQEoe.dllGet hashmaliciousBrowse

                                                                                                    Domains

                                                                                                    No context

                                                                                                    ASN

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                    ARUBA-ASNITUioA2E9DBG.dllGet hashmaliciousBrowse
                                                                                                    • 212.237.56.116
                                                                                                    916Q89rlYD.dllGet hashmaliciousBrowse
                                                                                                    • 212.237.56.116
                                                                                                    9izNuvE61W.dllGet hashmaliciousBrowse
                                                                                                    • 212.237.56.116
                                                                                                    P5LROPCURK.dllGet hashmaliciousBrowse
                                                                                                    • 212.237.56.116
                                                                                                    zTGtLv4pTO.dllGet hashmaliciousBrowse
                                                                                                    • 94.177.217.88
                                                                                                    zTGtLv4pTO.dllGet hashmaliciousBrowse
                                                                                                    • 94.177.217.88
                                                                                                    TYLNb8VvnmYA.dllGet hashmaliciousBrowse
                                                                                                    • 212.237.56.116
                                                                                                    TYLNb8VvnmYA.dllGet hashmaliciousBrowse
                                                                                                    • 212.237.56.116
                                                                                                    snBYiBAMB2.dllGet hashmaliciousBrowse
                                                                                                    • 212.237.56.116
                                                                                                    6zAcNlJXo7.dllGet hashmaliciousBrowse
                                                                                                    • 212.237.56.116
                                                                                                    6zAcNlJXo7.dllGet hashmaliciousBrowse
                                                                                                    • 212.237.56.116
                                                                                                    DHL DOCUMENT FOR #504.exeGet hashmaliciousBrowse
                                                                                                    • 62.149.128.40
                                                                                                    RqgAGRvHNwhoreniggagay.dllGet hashmaliciousBrowse
                                                                                                    • 94.177.217.88
                                                                                                    RqgAGRvHNwhoreniggagay.dllGet hashmaliciousBrowse
                                                                                                    • 94.177.217.88
                                                                                                    dFUOuTxFQrXAwhoreniggagay.dllGet hashmaliciousBrowse
                                                                                                    • 94.177.217.88
                                                                                                    RbrKCqqjDPUwhoreniggagay.dllGet hashmaliciousBrowse
                                                                                                    • 94.177.217.88
                                                                                                    dFUOuTxFQrXAwhoreniggagay.dllGet hashmaliciousBrowse
                                                                                                    • 94.177.217.88
                                                                                                    RbrKCqqjDPUwhoreniggagay.dllGet hashmaliciousBrowse
                                                                                                    • 94.177.217.88
                                                                                                    mal.dllGet hashmaliciousBrowse
                                                                                                    • 212.237.56.116
                                                                                                    mal2.dllGet hashmaliciousBrowse
                                                                                                    • 212.237.56.116
                                                                                                    OnlineSASFRUioA2E9DBG.dllGet hashmaliciousBrowse
                                                                                                    • 195.154.133.20
                                                                                                    916Q89rlYD.dllGet hashmaliciousBrowse
                                                                                                    • 195.154.133.20
                                                                                                    9izNuvE61W.dllGet hashmaliciousBrowse
                                                                                                    • 195.154.133.20
                                                                                                    P5LROPCURK.dllGet hashmaliciousBrowse
                                                                                                    • 195.154.133.20
                                                                                                    GlobalfoundriesINV33-45776648.htmGet hashmaliciousBrowse
                                                                                                    • 51.15.17.195
                                                                                                    TYLNb8VvnmYA.dllGet hashmaliciousBrowse
                                                                                                    • 195.154.133.20
                                                                                                    TYLNb8VvnmYA.dllGet hashmaliciousBrowse
                                                                                                    • 195.154.133.20
                                                                                                    snBYiBAMB2.dllGet hashmaliciousBrowse
                                                                                                    • 195.154.133.20
                                                                                                    6zAcNlJXo7.dllGet hashmaliciousBrowse
                                                                                                    • 195.154.133.20
                                                                                                    6zAcNlJXo7.dllGet hashmaliciousBrowse
                                                                                                    • 195.154.133.20
                                                                                                    mal.dllGet hashmaliciousBrowse
                                                                                                    • 195.154.133.20
                                                                                                    mal2.dllGet hashmaliciousBrowse
                                                                                                    • 195.154.133.20
                                                                                                    mal.dllGet hashmaliciousBrowse
                                                                                                    • 195.154.133.20
                                                                                                    mal2.dllGet hashmaliciousBrowse
                                                                                                    • 195.154.133.20
                                                                                                    2gyA5uNl6VPQUA.dllGet hashmaliciousBrowse
                                                                                                    • 195.154.133.20
                                                                                                    2gyA5uNl6VPQUA.dllGet hashmaliciousBrowse
                                                                                                    • 195.154.133.20
                                                                                                    spZRMihlrkFGqYq1f.dllGet hashmaliciousBrowse
                                                                                                    • 195.154.146.35
                                                                                                    spZRMihlrkFGqYq1f.dllGet hashmaliciousBrowse
                                                                                                    • 195.154.146.35
                                                                                                    AtlanticareINV25-67431254.htmGet hashmaliciousBrowse
                                                                                                    • 51.15.17.195
                                                                                                    9sQccNfqAR.dllGet hashmaliciousBrowse
                                                                                                    • 195.154.133.20

                                                                                                    JA3 Fingerprints

                                                                                                    No context

                                                                                                    Dropped Files

                                                                                                    No context

                                                                                                    Created / dropped Files

                                                                                                    No created / dropped files found

                                                                                                    Static File Info

                                                                                                    General

                                                                                                    File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                    Entropy (8bit):7.196240298834973
                                                                                                    TrID:
                                                                                                    • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                                    • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                                    • DOS Executable Generic (2002/1) 0.20%
                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                    File name:UioA2E9DBG.dll
                                                                                                    File size:473600
                                                                                                    MD5:6988533cf7cbdccd0ea429571e0441a9
                                                                                                    SHA1:27836d3e04a31548fa09ec8537ba50777a73a42a
                                                                                                    SHA256:8d6912a12fdccb3d6d55980c3b1fd20cc97a2736d3381e315657a3d6f2f8d1b3
                                                                                                    SHA512:2d48c1b8ef38ad9d0a68650896b5ee69bdcea2caeddfe55e8cadd7b5f411311a8a43a09ce33ca5d6b5e341f38f30fbe41a0aa91048a8b2c5a2a663013f8b1e40
                                                                                                    SSDEEP:12288:mFyGBDytNZAR5Myju+qQuj/J+7C6Dg8stHb1h:mF92e/jEk7zDg8stJh
                                                                                                    File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........A~.. ... ... ...F... ...F..D ...U... ...U... ...U... ...F... ...F... ...F... ... ..< ..TU... ..TU... ..TU... ... ... ..TU... .

                                                                                                    File Icon

                                                                                                    Icon Hash:74f0e4ecccdce0e4

                                                                                                    Static PE Info

                                                                                                    General

                                                                                                    Entrypoint:0x10014c2e
                                                                                                    Entrypoint Section:.text
                                                                                                    Digitally signed:false
                                                                                                    Imagebase:0x10000000
                                                                                                    Subsystem:windows gui
                                                                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                                    Time Stamp:0x61A7B2E7 [Wed Dec 1 17:37:43 2021 UTC]
                                                                                                    TLS Callbacks:
                                                                                                    CLR (.Net) Version:
                                                                                                    OS Version Major:6
                                                                                                    OS Version Minor:0
                                                                                                    File Version Major:6
                                                                                                    File Version Minor:0
                                                                                                    Subsystem Version Major:6
                                                                                                    Subsystem Version Minor:0
                                                                                                    Import Hash:057d91f9747659ff50a0558e0aed5a44

                                                                                                    Entrypoint Preview

                                                                                                    Instruction
                                                                                                    push ebp
                                                                                                    mov ebp, esp
                                                                                                    cmp dword ptr [ebp+0Ch], 01h
                                                                                                    jne 00007FB8E45D38A7h
                                                                                                    call 00007FB8E45D3CADh
                                                                                                    push dword ptr [ebp+10h]
                                                                                                    push dword ptr [ebp+0Ch]
                                                                                                    push dword ptr [ebp+08h]
                                                                                                    call 00007FB8E45D3753h
                                                                                                    add esp, 0Ch
                                                                                                    pop ebp
                                                                                                    retn 000Ch
                                                                                                    and dword ptr [ecx+04h], 00000000h
                                                                                                    mov eax, ecx
                                                                                                    and dword ptr [ecx+08h], 00000000h
                                                                                                    mov dword ptr [ecx+04h], 1003A410h
                                                                                                    mov dword ptr [ecx], 1003A408h
                                                                                                    ret
                                                                                                    push ebp
                                                                                                    mov ebp, esp
                                                                                                    sub esp, 0Ch
                                                                                                    lea ecx, dword ptr [ebp-0Ch]
                                                                                                    call 00007FB8E45D387Fh
                                                                                                    push 10049FDCh
                                                                                                    lea eax, dword ptr [ebp-0Ch]
                                                                                                    push eax
                                                                                                    call 00007FB8E45D6FAEh
                                                                                                    int3
                                                                                                    push ebp
                                                                                                    mov ebp, esp
                                                                                                    and dword ptr [1004E888h], 00000000h
                                                                                                    sub esp, 24h
                                                                                                    or dword ptr [1004D00Ch], 01h
                                                                                                    push 0000000Ah
                                                                                                    call dword ptr [1003A0E8h]
                                                                                                    test eax, eax
                                                                                                    je 00007FB8E45D3A4Fh
                                                                                                    and dword ptr [ebp-10h], 00000000h
                                                                                                    xor eax, eax
                                                                                                    push ebx
                                                                                                    push esi
                                                                                                    push edi
                                                                                                    xor ecx, ecx
                                                                                                    lea edi, dword ptr [ebp-24h]
                                                                                                    push ebx
                                                                                                    cpuid
                                                                                                    mov esi, ebx
                                                                                                    pop ebx
                                                                                                    mov dword ptr [edi], eax
                                                                                                    mov dword ptr [edi+04h], esi
                                                                                                    mov dword ptr [edi+08h], ecx
                                                                                                    xor ecx, ecx
                                                                                                    mov dword ptr [edi+0Ch], edx
                                                                                                    mov eax, dword ptr [ebp-24h]
                                                                                                    mov edi, dword ptr [ebp-1Ch]
                                                                                                    mov dword ptr [ebp-0Ch], eax
                                                                                                    xor edi, 6C65746Eh
                                                                                                    mov eax, dword ptr [ebp-18h]
                                                                                                    xor eax, 49656E69h
                                                                                                    mov dword ptr [ebp-08h], eax
                                                                                                    mov eax, dword ptr [ebp-20h]
                                                                                                    xor eax, 756E6547h
                                                                                                    mov dword ptr [ebp-04h], eax
                                                                                                    xor eax, eax
                                                                                                    inc eax
                                                                                                    push ebx
                                                                                                    cpuid

                                                                                                    Data Directories

                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x4aaa00x944.rdata
                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x4b3e40xb4.rdata
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x500000x24448.rsrc
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x750000x2d78.reloc
                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x468380x40.rdata
                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x3a0000x328.rdata
                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                    Sections

                                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                    .text0x10000x385cc0x38600False0.542072304601data6.65370681685IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                    .rdata0x3a0000x125200x12600False0.497967155612data5.51962067899IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                    .data0x4d0000x23d40x1600False0.2265625data3.93138515856IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                    .rsrc0x500000x244480x24600False0.788874570447data7.67571153778IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                    .reloc0x750000x2d780x2e00False0.740913722826data6.57934659057IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                    Resources

                                                                                                    NameRVASizeTypeLanguageCountry
                                                                                                    TYPELIB0x73c300x670dataEnglishUnited States
                                                                                                    RT_BITMAP0x501900x23867dataRussianRussia
                                                                                                    RT_STRING0x742a00x26dataEnglishUnited States
                                                                                                    RT_VERSION0x739f80x238dataEnglishUnited States
                                                                                                    RT_MANIFEST0x742c80x17dXML 1.0 document textEnglishUnited States

                                                                                                    Imports

                                                                                                    DLLImport
                                                                                                    pdh.dllPdhGetFormattedCounterValue, PdhCollectQueryData, PdhCloseQuery, PdhRemoveCounter, PdhAddCounterW, PdhValidatePathW, PdhOpenQueryW
                                                                                                    KERNEL32.dllUnregisterApplicationRestart, GetThreadLocale, UnregisterApplicationRecoveryCallback, SetFileApisToOEM, GetACP, GetCurrentProcessorNumber, GetLastError, AreFileApisANSI, GetEnvironmentStringsW, GetCommandLineW, TlsAlloc, SwitchToThread, GetUserDefaultUILanguage, GetUserDefaultLangID, GetOEMCP, IsDebuggerPresent, MultiByteToWideChar, RaiseException, InitializeCriticalSectionEx, DeleteCriticalSection, DecodePointer, EnterCriticalSection, LeaveCriticalSection, LoadResource, SizeofResource, FindResourceW, GetModuleHandleW, GetProcAddress, LoadLibraryExW, GetModuleFileNameW, lstrcmpiW, FreeLibrary, GetCurrentThreadId, MulDiv, SetLastError, DisableThreadLibraryCalls, IsProcessorFeaturePresent, SetFilePointerEx, GetFileSizeEx, GetConsoleMode, GetConsoleCP, GetCurrentProcess, FlushFileBuffers, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, FreeEnvironmentStringsW, GetCommandLineA, IsValidCodePage, FindNextFileW, FindFirstFileExW, HeapReAlloc, HeapSize, GetFileType, GetStdHandle, GetModuleHandleExW, ExitProcess, TlsFree, TlsSetValue, TlsGetValue, InitializeCriticalSectionAndSpinCount, InterlockedFlushSList, RtlUnwind, LoadLibraryExA, VirtualFree, VirtualAlloc, FlushInstructionCache, InterlockedPushEntrySList, InterlockedPopEntrySList, HeapFree, HeapAlloc, OutputDebugStringW, GetCPInfo, GetStringTypeW, LCMapStringEx, EncodePointer, GetSystemDefaultUILanguage, GetStartupInfoW, GetTickCount, GetProcessHeap, CloseHandle, ReadFile, FindClose, GetLogicalDrives, GetTickCount64, ReadConsoleW, SetStdHandle, CreateFileW, WriteConsoleW, TerminateProcess, SetUnhandledExceptionFilter, WriteFile, LocalFree, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentProcessId, QueryPerformanceCounter, UnhandledExceptionFilter
                                                                                                    USER32.dllGetForegroundWindow, GetMessageExtraInfo, GetMessageTime, CreateMenu, GetDesktopWindow, AnyPopup, GetMenuCheckMarkDimensions, GetFocus, IsProcessDPIAware, CallWindowProcW, DrawTextW, InsertMenuW, RegisterClassExW, LoadCursorW, GetClassInfoExW, DefWindowProcW, IsWindow, GetParent, SetTimer, ShowWindow, InvalidateRect, ReleaseDC, GetDC, EndPaint, BeginPaint, ClientToScreen, GetClientRect, SendMessageW, DestroyWindow, CreateWindowExW, GetWindowLongW, SetWindowLongW, CharNextW, UnregisterClassW, IsWow64Message, GetKBCodePage, GetCapture, EmptyClipboard, DestroyCaret, GetCursor, GetClipboardViewer, GetProcessWindowStation, GetDialogBaseUnits, GetClipboardSequenceNumber
                                                                                                    GDI32.dllSetBkMode, SetTextColor, CreateFontW, DeleteDC, BitBlt, CreateCompatibleDC, CreateCompatibleBitmap, DeleteObject, GetTextMetricsW, GetDeviceCaps, GdiFlush, SelectObject
                                                                                                    ADVAPI32.dllRegDeleteValueW, RegQueryInfoKeyW, RegSetValueExW, RegEnumKeyExW, RegCloseKey, RegDeleteKeyW, RegCreateKeyExW, RegOpenKeyExW
                                                                                                    SHELL32.dllShellExecuteW, SHGetFolderPathW
                                                                                                    ole32.dllCoUninitialize, CoFreeUnusedLibraries, CoCreateInstance, CoInitialize, OleRun, CoTaskMemAlloc, CoTaskMemRealloc, CoTaskMemFree
                                                                                                    OLEAUT32.dllSysAllocStringLen, SysFreeString, SysAllocString, SysStringLen, VarBstrCmp, VariantInit, VariantClear, VariantCopy, VariantChangeType, VarUI4FromStr, LoadTypeLib, LoadRegTypeLib

                                                                                                    Exports

                                                                                                    NameOrdinalAddress
                                                                                                    Control_RunDLL10x10001200
                                                                                                    agrwqhxohbh20x10001640
                                                                                                    aoydsyidkopcdbcv30x10001590
                                                                                                    aqaxnxiyp40x100017f0
                                                                                                    aqifizcrcigtbc50x100014d0
                                                                                                    blgyxvnrgnj60x10001340
                                                                                                    bmhoscqeo70x10001800
                                                                                                    cbhbbbnsysmxsglys80x10001280
                                                                                                    cfqauuhezdfiadv90x10001300
                                                                                                    cqaqtfmqa100x100014e0
                                                                                                    cqvdnmef110x10001520
                                                                                                    diemgfpllpxdynrp120x10001660
                                                                                                    dsjfkiuaxjmd130x10001620
                                                                                                    dvccbqldzo140x10001440
                                                                                                    eczhlkzhigpqdmji150x10001690
                                                                                                    efekjykefnomyepb160x10001240
                                                                                                    euzzsyjhhyjk170x100014a0
                                                                                                    ewfjolbrdkpfbu180x100016a0
                                                                                                    eyxfduuwswrkkfb190x10001460
                                                                                                    fcsjavaerhwh200x10001460
                                                                                                    fcvpuvlkd210x10001770
                                                                                                    fuiqbwlhvf220x10001350
                                                                                                    fuqdrqudohprlav230x10001670
                                                                                                    gdkmnewqrifmu240x100013c0
                                                                                                    giqdygu250x100013b0
                                                                                                    glvwwvhxytydlsckc260x10001380
                                                                                                    gqmumjymsqech270x10001580
                                                                                                    gyjdlfnpvuwyns280x10001650
                                                                                                    hezdupwudyyyunzce290x10001570
                                                                                                    hizzovalrzxhws300x10001370
                                                                                                    hqgltakgvouu310x10001500
                                                                                                    hxgrftzpapbksfw320x10001810
                                                                                                    hyjgiak330x10001510
                                                                                                    ibfqhgpcdmnlpuk340x10001710
                                                                                                    ijgncsgxqm350x100016c0
                                                                                                    ikolskwqhh360x100012f0
                                                                                                    iqpjrfuazqzzwyo370x10001530
                                                                                                    isnzfcopptq380x100017e0
                                                                                                    jotmsherwxebbxdwx390x100013f0
                                                                                                    jpbchpiky400x100014b0
                                                                                                    keopfre410x100012d0
                                                                                                    kgbfkdt420x100017c0
                                                                                                    kqfozymw430x10001550
                                                                                                    kqfwxmzinluclznz440x100016d0
                                                                                                    ksctsripmbdzxec450x10001360
                                                                                                    kxtqnogkhyqfdk460x10001750
                                                                                                    kyetmotely470x100015c0
                                                                                                    kzmqflbfkeynkpnrq480x10001560
                                                                                                    lwpzefcmc490x10001680
                                                                                                    mdicbempsw500x10001760
                                                                                                    mpniirdopznongc510x100015f0
                                                                                                    nfrruustkviwho520x10001490
                                                                                                    nnkxzau530x10001540
                                                                                                    ntlbxpnmpq540x10001230
                                                                                                    nylgigzlzgq550x100014f0
                                                                                                    oeeppbdhlwtqbebsc560x10001780
                                                                                                    oqimmdcao570x100017d0
                                                                                                    osmdblb580x10001330
                                                                                                    oulnevvyoxvhtk590x10001700
                                                                                                    ozjhpfvilsnz600x10001790
                                                                                                    pagmvmro610x10001320
                                                                                                    payapldnccmqll620x10001730
                                                                                                    pfzpoofrhpqtfonq630x10001420
                                                                                                    phaingm640x10001740
                                                                                                    pnmndzlcdiozheqcr650x10001480
                                                                                                    ptvzejspfsvtd660x100013d0
                                                                                                    qqpdqfhvygfzbonj670x100015a0
                                                                                                    qvaqcsa680x100016b0
                                                                                                    reounuhn690x10001400
                                                                                                    rljiirg700x100016f0
                                                                                                    rzoamlp710x10001680
                                                                                                    sgrpewcbpscaglfx720x100012a0
                                                                                                    silzddmlwg730x10001430
                                                                                                    sndamdd740x100015e0
                                                                                                    suxfnypakljbnhg750x10001310
                                                                                                    szmxqtjgfdddthzk760x10001270
                                                                                                    tdgezaxepwnz770x10001470
                                                                                                    toikjwtfacwnkn780x100012e0
                                                                                                    twtkllimi790x10001390
                                                                                                    ubpocaaeiir800x10001820
                                                                                                    ucnbopvvjujq810x100012b0
                                                                                                    umbcxxdpseqvmldz820x100013e0
                                                                                                    utuywjyiha830x100015d0
                                                                                                    uwqjkkocvv840x100017a0
                                                                                                    vghlpxvxj850x10001560
                                                                                                    vpqbpugn860x100016e0
                                                                                                    vqexozpspangdtj870x10001250
                                                                                                    vsdkqknjinjykgbox880x100015b0
                                                                                                    vtmgzxszfgtryo890x100017b0
                                                                                                    vwmgmxgrrqxpkt900x10001700
                                                                                                    vwrjazoqyjdmbl910x100012c0
                                                                                                    wkhdiwewd920x10001600
                                                                                                    xkarkqyvb930x100014c0
                                                                                                    xksexikuknuashri940x10001260
                                                                                                    xvhmkowwnqqduu950x10001610
                                                                                                    ycvymuzl960x10001630
                                                                                                    ydlbmankf970x10001410
                                                                                                    yfnbxcvx980x100013a0
                                                                                                    ygpnkudw990x10001290
                                                                                                    zdchnvpeni1000x10001720
                                                                                                    znvawoxitvi1010x10001450

                                                                                                    Version Infos

                                                                                                    DescriptionData
                                                                                                    InternalNameYlncpiqzme.dll
                                                                                                    FileVersion7.2.6.9
                                                                                                    ProductNameYlncpiqzme
                                                                                                    ProductVersion7.2.6.9
                                                                                                    FileDescriptionrqdads
                                                                                                    OriginalFilenameYlncpiqzme.dll
                                                                                                    Translation0x0408 0x04e4

                                                                                                    Possible Origin

                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                    EnglishUnited States
                                                                                                    RussianRussia

                                                                                                    Network Behavior

                                                                                                    No network behavior found

                                                                                                    Code Manipulations

                                                                                                    Statistics

                                                                                                    Behavior

                                                                                                    Click to jump to process

                                                                                                    System Behavior

                                                                                                    Analysis Process: loaddll32.exe PID: 4828 Parent PID: 5688

                                                                                                    General

                                                                                                    Start time:09:31:58
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\System32\loaddll32.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:loaddll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll"
                                                                                                    Imagebase:0x120000
                                                                                                    File size:893440 bytes
                                                                                                    MD5 hash:72FCD8FB0ADC38ED9050569AD673650E
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.627609391.0000000000A8B000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.627509669.0000000000830000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                    Reputation:high

                                                                                                    Analysis Process: cmd.exe PID: 7044 Parent PID: 4828

                                                                                                    General

                                                                                                    Start time:09:31:58
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",#1
                                                                                                    Imagebase:0xd80000
                                                                                                    File size:232960 bytes
                                                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Analysis Process: rundll32.exe PID: 7120 Parent PID: 4828

                                                                                                    General

                                                                                                    Start time:09:31:58
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:rundll32.exe C:\Users\user\Desktop\UioA2E9DBG.dll,Control_RunDLL
                                                                                                    Imagebase:0x370000
                                                                                                    File size:61952 bytes
                                                                                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.625242397.0000000002E96000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.625153138.0000000002CC0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                    Reputation:high

                                                                                                    Analysis Process: rundll32.exe PID: 7148 Parent PID: 7044

                                                                                                    General

                                                                                                    Start time:09:31:58
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",#1
                                                                                                    Imagebase:0x370000
                                                                                                    File size:61952 bytes
                                                                                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.609722465.0000000002875000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.609690193.00000000027A0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                    Reputation:high

                                                                                                    Analysis Process: rundll32.exe PID: 4752 Parent PID: 4828

                                                                                                    General

                                                                                                    Start time:09:32:03
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:rundll32.exe C:\Users\user\Desktop\UioA2E9DBG.dll,agrwqhxohbh
                                                                                                    Imagebase:0x370000
                                                                                                    File size:61952 bytes
                                                                                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.611321700.000000000306A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.611275948.0000000002DB0000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                    Reputation:high

                                                                                                    Analysis Process: rundll32.exe PID: 5760 Parent PID: 4828

                                                                                                    General

                                                                                                    Start time:09:32:10
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:rundll32.exe C:\Users\user\Desktop\UioA2E9DBG.dll,aoydsyidkopcdbcv
                                                                                                    Imagebase:0x370000
                                                                                                    File size:61952 bytes
                                                                                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.626711178.0000000002ADA000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.626631642.0000000002790000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                    Reputation:high

                                                                                                    Analysis Process: rundll32.exe PID: 6704 Parent PID: 7148

                                                                                                    General

                                                                                                    Start time:09:34:16
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL
                                                                                                    Imagebase:0x370000
                                                                                                    File size:61952 bytes
                                                                                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Analysis Process: rundll32.exe PID: 6856 Parent PID: 7120

                                                                                                    General

                                                                                                    Start time:09:34:17
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Uteaesuoyewsu\kffdjmqicgbnmom.ioj",ArlfCURNcI
                                                                                                    Imagebase:0x370000
                                                                                                    File size:61952 bytes
                                                                                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Analysis Process: rundll32.exe PID: 3880 Parent PID: 4752

                                                                                                    General

                                                                                                    Start time:09:34:28
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL
                                                                                                    Imagebase:0x370000
                                                                                                    File size:61952 bytes
                                                                                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Analysis Process: rundll32.exe PID: 4436 Parent PID: 5760

                                                                                                    General

                                                                                                    Start time:09:34:35
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL
                                                                                                    Imagebase:0x370000
                                                                                                    File size:61952 bytes
                                                                                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Analysis Process: rundll32.exe PID: 2944 Parent PID: 4828

                                                                                                    General

                                                                                                    Start time:09:34:36
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL
                                                                                                    Imagebase:0x370000
                                                                                                    File size:61952 bytes
                                                                                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Analysis Process: svchost.exe PID: 4972 Parent PID: 572

                                                                                                    General

                                                                                                    Start time:09:34:38
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                    Imagebase:0x7ff70d6e0000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Disassembly

                                                                                                    Code Analysis

                                                                                                    Reset < >