Windows Analysis Report CSxylfUJcL

Overview

General Information

Sample Name: CSxylfUJcL (renamed file extension from none to dll)
Analysis ID: 553113
MD5: fa7ab814336d3ee4312c262457e01f01
SHA1: 73e1844abe6d99a57345464f418279d596985202
SHA256: c89c49c3e8e37835ab53bfd9ff9ab97c80e037f0fdfe7e8df6a7d3d86fa62782
Tags: 32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Machine Learning detection for sample
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 4.2.rundll32.exe.5280000.8.raw.unpack Malware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}
Multi AV Scanner detection for submitted file
Source: CSxylfUJcL.dll Virustotal: Detection: 21% Perma Link
Source: CSxylfUJcL.dll ReversingLabs: Detection: 32%
Machine Learning detection for sample
Source: CSxylfUJcL.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: CSxylfUJcL.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.6:49766 -> 45.138.98.34:80
Source: Traffic Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.6:49770 -> 69.16.218.101:8080
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 69.16.218.101 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.138.98.34 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 45.138.98.34:80
Source: Malware configuration extractor IPs: 69.16.218.101:8080
Source: Malware configuration extractor IPs: 51.210.242.234:8080
Source: Malware configuration extractor IPs: 185.148.168.220:8080
Source: Malware configuration extractor IPs: 142.4.219.173:8080
Source: Malware configuration extractor IPs: 54.38.242.185:443
Source: Malware configuration extractor IPs: 191.252.103.16:80
Source: Malware configuration extractor IPs: 104.131.62.48:8080
Source: Malware configuration extractor IPs: 62.171.178.147:8080
Source: Malware configuration extractor IPs: 217.182.143.207:443
Source: Malware configuration extractor IPs: 168.197.250.14:80
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 66.42.57.149:443
Source: Malware configuration extractor IPs: 210.57.209.142:8080
Source: Malware configuration extractor IPs: 159.69.237.188:443
Source: Malware configuration extractor IPs: 116.124.128.206:8080
Source: Malware configuration extractor IPs: 128.199.192.135:8080
Source: Malware configuration extractor IPs: 195.154.146.35:443
Source: Malware configuration extractor IPs: 185.148.168.15:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 207.148.81.119:8080
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 190.90.233.66:443
Source: Malware configuration extractor IPs: 78.46.73.125:443
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 37.59.209.141:8080
Source: Malware configuration extractor IPs: 54.37.228.122:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View IP Address: 104.131.62.48 104.131.62.48
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49770 -> 69.16.218.101:8080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 12
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: svchost.exe, 00000015.00000003.484179843.000002DCEFD9B000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000015.00000003.484179843.000002DCEFD9B000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: rundll32.exe, 0000000C.00000003.461140176.0000000004DBF000.00000004.00000001.sdmp String found in binary or memory: http://crl.globals
Source: svchost.exe, 00000015.00000002.501039542.000002DCEF4EA000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.863214782.000001B96A085000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000015.00000002.501039542.000002DCEF4EA000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.863099825.000001B96A013000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: 77EC63BDA74BD0D0E0426DC8F80085060.12.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 0000000C.00000003.460557624.0000000004DF7000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ac3be1d532533
Source: svchost.exe, 00000015.00000003.480197283.000002DCEFD92000.00000004.00000001.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: rundll32.exe, 0000000C.00000003.461301561.0000000004DED000.00000004.00000001.sdmp, rundll32.exe, 0000000C.00000003.460548550.0000000004DED000.00000004.00000001.sdmp, rundll32.exe, 0000000C.00000003.461164296.0000000004DED000.00000004.00000001.sdmp String found in binary or memory: https://69dl.windowsupdate.com/
Source: svchost.exe, 00000015.00000003.480197283.000002DCEFD92000.00000004.00000001.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000015.00000003.480197283.000002DCEFD92000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000015.00000003.480197283.000002DCEFD92000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000015.00000003.481145725.000002DCEFD82000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.481291827.000002DCF0202000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.481239356.000002DCEFDA4000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.481311470.000002DCEFD82000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.481252613.000002DCF0219000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100012D0 recvfrom, 2_2_100012D0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 2_2_1000FF59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 3_2_1000FF59

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 4.2.rundll32.exe.5280000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5110000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4690000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4b30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.47c0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4820000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4060000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4820000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4060000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.3230000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.52b0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.47f0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4690000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5410000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4c00000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2a80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4190000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.47c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4b30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5220000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4850000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5250000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5280000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.53e0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4a40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.46c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4c70000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.51f0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.51c0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2a80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.4b80000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5110000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2ad0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5140000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.51c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.53e0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5220000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.3230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4a40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.353899484.00000000047F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.354941726.0000000005411000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.354039628.0000000004851000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.353678279.00000000046C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.354572676.0000000005220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.397064444.0000000002A80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.354868089.00000000053E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.354398198.00000000051C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.354782751.00000000052B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.353971003.0000000004820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.354142339.0000000005110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.353601392.0000000004690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.397100803.0000000002AD1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.353774398.0000000004C71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.351221459.0000000004C01000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.350955081.0000000004A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.353804496.00000000047C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.354700642.0000000005280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.354625308.0000000005251000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.354494384.00000000051F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.352946917.0000000004060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.354257894.0000000005141000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.353590253.0000000004B30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.396217963.0000000003230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.353110002.0000000004191000.00000020.00000001.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: CSxylfUJcL.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Ovttmq\chwg.qvw:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Ovttmq\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10020011 2_2_10020011
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100181CA 2_2_100181CA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001929D 2_2_1001929D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002542D 2_2_1002542D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100274AE 2_2_100274AE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10026575 2_2_10026575
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001869D 2_2_1001869D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001178A 2_2_1001178A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10016860 2_2_10016860
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002596F 2_2_1002596F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10022A5C 2_2_10022A5C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10018A71 2_2_10018A71
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001AAB7 2_2_1001AAB7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001CB16 2_2_1001CB16
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10018E7D 2_2_10018E7D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10025EB1 2_2_10025EB1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B985FF 2_2_04B985FF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B9EFDD 2_2_04B9EFDD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B81CA1 2_2_04B81CA1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B9E4E5 2_2_04B9E4E5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B9CCD9 2_2_04B9CCD9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B83431 2_2_04B83431
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B9DC71 2_2_04B9DC71
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B9A474 2_2_04B9A474
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B87442 2_2_04B87442
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B8A445 2_2_04B8A445
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B93D85 2_2_04B93D85
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B855FF 2_2_04B855FF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B99DF5 2_2_04B99DF5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B8C5D8 2_2_04B8C5D8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B9C5D5 2_2_04B9C5D5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B98D3D 2_2_04B98D3D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B95515 2_2_04B95515
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B9AD08 2_2_04B9AD08
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B97D5B 2_2_04B97D5B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04BA2D53 2_2_04BA2D53
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B9654A 2_2_04B9654A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B8C6B8 2_2_04B8C6B8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B90EBC 2_2_04B90EBC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04BA46BD 2_2_04BA46BD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04BA36AA 2_2_04BA36AA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B93EAA 2_2_04B93EAA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B9BEFD 2_2_04B9BEFD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04BA3EE9 2_2_04BA3EE9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B88636 2_2_04B88636
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B87E79 2_2_04B87E79
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B9567B 2_2_04B9567B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B8DE74 2_2_04B8DE74
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B92E5D 2_2_04B92E5D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B8E640 2_2_04B8E640
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B857B8 2_2_04B857B8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B8BFBE 2_2_04B8BFBE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04BA17BD 2_2_04BA17BD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04BA07AA 2_2_04BA07AA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B98FAE 2_2_04B98FAE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B877A3 2_2_04B877A3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B90F86 2_2_04B90F86
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B927F9 2_2_04B927F9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B907F4 2_2_04B907F4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B967E6 2_2_04B967E6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B8E7DE 2_2_04B8E7DE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B81F38 2_2_04B81F38
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B8670B 2_2_04B8670B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B8EF0C 2_2_04B8EF0C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B95779 2_2_04B95779
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B94F74 2_2_04B94F74
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B99774 2_2_04B99774
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B9FF58 2_2_04B9FF58
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B8F0E9 2_2_04B8F0E9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04BA00EF 2_2_04BA00EF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B9D8DB 2_2_04B9D8DB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B880C0 2_2_04B880C0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B8B820 2_2_04B8B820
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04BA2009 2_2_04BA2009
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B98806 2_2_04B98806
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B87078 2_2_04B87078
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B8A871 2_2_04B8A871
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B9F840 2_2_04B9F840
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B9D1BC 2_2_04B9D1BC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B82194 2_2_04B82194
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B96187 2_2_04B96187
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B9E1F8 2_2_04B9E1F8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B9017B 2_2_04B9017B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B9E955 2_2_04B9E955
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B8D14C 2_2_04B8D14C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B92142 2_2_04B92142
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B90ABA 2_2_04B90ABA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B8BAA9 2_2_04B8BAA9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B9A2A5 2_2_04B9A2A5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B9CAD5 2_2_04B9CAD5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B97A0F 2_2_04B97A0F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B99A01 2_2_04B99A01
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04BA3263 2_2_04BA3263
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04BA0A64 2_2_04BA0A64
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B94A66 2_2_04B94A66
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B9B257 2_2_04B9B257
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B94244 2_2_04B94244
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B8238C 2_2_04B8238C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B8FB8E 2_2_04B8FB8E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B84BFC 2_2_04B84BFC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B9FBDE 2_2_04B9FBDE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B95333 2_2_04B95333
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04BA2B09 2_2_04BA2B09
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B86B7A 2_2_04B86B7A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B9437A 2_2_04B9437A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B8F369 2_2_04B8F369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10020011 3_2_10020011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100181CA 3_2_100181CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001929D 3_2_1001929D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002542D 3_2_1002542D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100274AE 3_2_100274AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10026575 3_2_10026575
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001869D 3_2_1001869D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001178A 3_2_1001178A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10016860 3_2_10016860
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002596F 3_2_1002596F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10022A5C 3_2_10022A5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10018A71 3_2_10018A71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001AAB7 3_2_1001AAB7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001CB16 3_2_1001CB16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10018E7D 3_2_10018E7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10025EB1 3_2_10025EB1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C185FF 3_2_04C185FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C1EFDD 3_2_04C1EFDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C1CCD9 3_2_04C1CCD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C1E4E5 3_2_04C1E4E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C01CA1 3_2_04C01CA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C07442 3_2_04C07442
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C0A445 3_2_04C0A445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C1DC71 3_2_04C1DC71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C1A474 3_2_04C1A474
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C03431 3_2_04C03431
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C1C5D5 3_2_04C1C5D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C0C5D8 3_2_04C0C5D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C19DF5 3_2_04C19DF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C055FF 3_2_04C055FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C13D85 3_2_04C13D85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C1654A 3_2_04C1654A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C22D53 3_2_04C22D53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C17D5B 3_2_04C17D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C1AD08 3_2_04C1AD08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C15515 3_2_04C15515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C18D3D 3_2_04C18D3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C23EE9 3_2_04C23EE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C1BEFD 3_2_04C1BEFD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C236AA 3_2_04C236AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C13EAA 3_2_04C13EAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C0C6B8 3_2_04C0C6B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C10EBC 3_2_04C10EBC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C246BD 3_2_04C246BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C0E640 3_2_04C0E640
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C12E5D 3_2_04C12E5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C0DE74 3_2_04C0DE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C07E79 3_2_04C07E79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C1567B 3_2_04C1567B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C08636 3_2_04C08636
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C0E7DE 3_2_04C0E7DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C167E6 3_2_04C167E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C107F4 3_2_04C107F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C127F9 3_2_04C127F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C10F86 3_2_04C10F86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C077A3 3_2_04C077A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C207AA 3_2_04C207AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C18FAE 3_2_04C18FAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C057B8 3_2_04C057B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C0BFBE 3_2_04C0BFBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C217BD 3_2_04C217BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C1FF58 3_2_04C1FF58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C14F74 3_2_04C14F74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C19774 3_2_04C19774
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C15779 3_2_04C15779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C0670B 3_2_04C0670B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C0EF0C 3_2_04C0EF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C01F38 3_2_04C01F38
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C080C0 3_2_04C080C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C1D8DB 3_2_04C1D8DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C0F0E9 3_2_04C0F0E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C200EF 3_2_04C200EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C1F840 3_2_04C1F840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C0A871 3_2_04C0A871
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C07078 3_2_04C07078
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C18806 3_2_04C18806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C22009 3_2_04C22009
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C0B820 3_2_04C0B820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C1E1F8 3_2_04C1E1F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C16187 3_2_04C16187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C02194 3_2_04C02194
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C1D1BC 3_2_04C1D1BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C12142 3_2_04C12142
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C0D14C 3_2_04C0D14C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C1E955 3_2_04C1E955
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C1017B 3_2_04C1017B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C1CAD5 3_2_04C1CAD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C1A2A5 3_2_04C1A2A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C0BAA9 3_2_04C0BAA9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C10ABA 3_2_04C10ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C14244 3_2_04C14244
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C1B257 3_2_04C1B257
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C23263 3_2_04C23263
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C20A64 3_2_04C20A64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C14A66 3_2_04C14A66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C19A01 3_2_04C19A01
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C17A0F 3_2_04C17A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C1FBDE 3_2_04C1FBDE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C04BFC 3_2_04C04BFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C0238C 3_2_04C0238C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C0FB8E 3_2_04C0FB8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C0F369 3_2_04C0F369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C06B7A 3_2_04C06B7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C1437A 3_2_04C1437A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C22B09 3_2_04C22B09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C15333 3_2_04C15333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C8B257 4_2_04C8B257
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C84A66 4_2_04C84A66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C7DE74 4_2_04C7DE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C92009 4_2_04C92009
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C87A0F 4_2_04C87A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C78636 4_2_04C78636
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C8EFDD 4_2_04C8EFDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C7C5D8 4_2_04C7C5D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C885FF 4_2_04C885FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C917BD 4_2_04C917BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C8654A 4_2_04C8654A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C82142 4_2_04C82142
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C8FF58 4_2_04C8FF58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C8E955 4_2_04C8E955
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C8AD08 4_2_04C8AD08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C7670B 4_2_04C7670B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C780C0 4_2_04C780C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C8CCD9 4_2_04C8CCD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C8D8DB 4_2_04C8D8DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C8CAD5 4_2_04C8CAD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C93EE9 4_2_04C93EE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C900EF 4_2_04C900EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C8E4E5 4_2_04C8E4E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C7F0E9 4_2_04C7F0E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C8BEFD 4_2_04C8BEFD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C83EAA 4_2_04C83EAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C936AA 4_2_04C936AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C71CA1 4_2_04C71CA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C8A2A5 4_2_04C8A2A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C7BAA9 4_2_04C7BAA9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C80ABA 4_2_04C80ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C946BD 4_2_04C946BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C80EBC 4_2_04C80EBC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C7C6B8 4_2_04C7C6B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C7A445 4_2_04C7A445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C77442 4_2_04C77442
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C7E640 4_2_04C7E640
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C8F840 4_2_04C8F840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C84244 4_2_04C84244
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C82E5D 4_2_04C82E5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C93263 4_2_04C93263
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C90A64 4_2_04C90A64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C8567B 4_2_04C8567B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C7A871 4_2_04C7A871
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C8DC71 4_2_04C8DC71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C8A474 4_2_04C8A474
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C77E79 4_2_04C77E79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C77078 4_2_04C77078
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C89A01 4_2_04C89A01
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C88806 4_2_04C88806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C7B820 4_2_04C7B820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C73431 4_2_04C73431
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C8FBDE 4_2_04C8FBDE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C7E7DE 4_2_04C7E7DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C8C5D5 4_2_04C8C5D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C867E6 4_2_04C867E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C8E1F8 4_2_04C8E1F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C827F9 4_2_04C827F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C755FF 4_2_04C755FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C74BFC 4_2_04C74BFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C807F4 4_2_04C807F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C89DF5 4_2_04C89DF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C7FB8E 4_2_04C7FB8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C7238C 4_2_04C7238C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C83D85 4_2_04C83D85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C80F86 4_2_04C80F86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C86187 4_2_04C86187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C72194 4_2_04C72194
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C907AA 4_2_04C907AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C777A3 4_2_04C777A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C88FAE 4_2_04C88FAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C8D1BC 4_2_04C8D1BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C7BFBE 4_2_04C7BFBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C757B8 4_2_04C757B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C7D14C 4_2_04C7D14C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C87D5B 4_2_04C87D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C92D53 4_2_04C92D53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C7F369 4_2_04C7F369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C85779 4_2_04C85779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C8437A 4_2_04C8437A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C8017B 4_2_04C8017B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C84F74 4_2_04C84F74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C89774 4_2_04C89774
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C76B7A 4_2_04C76B7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C92B09 4_2_04C92B09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C7EF0C 4_2_04C7EF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C85515 4_2_04C85515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C88D3D 4_2_04C88D3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C85333 4_2_04C85333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C71F38 4_2_04C71F38
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041B2009 5_2_041B2009
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041A7A0F 5_2_041A7A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04198636 5_2_04198636
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0419DE74 5_2_0419DE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041A4A66 5_2_041A4A66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0419670B 5_2_0419670B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041AAD08 5_2_041AAD08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041AFF58 5_2_041AFF58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041A654A 5_2_041A654A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041A2142 5_2_041A2142
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0419C5D8 5_2_0419C5D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041AEFDD 5_2_041AEFDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041A9A01 5_2_041A9A01
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041A8806 5_2_041A8806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04193431 5_2_04193431
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0419B820 5_2_0419B820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041A2E5D 5_2_041A2E5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041AB257 5_2_041AB257
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0419E640 5_2_0419E640
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041AF840 5_2_041AF840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04197442 5_2_04197442
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0419A445 5_2_0419A445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041A4244 5_2_041A4244
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04197E79 5_2_04197E79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04197078 5_2_04197078
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041A567B 5_2_041A567B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0419A871 5_2_0419A871
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041ADC71 5_2_041ADC71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041AA474 5_2_041AA474
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041B3263 5_2_041B3263
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041B0A64 5_2_041B0A64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041A0ABA 5_2_041A0ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0419C6B8 5_2_0419C6B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041B46BD 5_2_041B46BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041A0EBC 5_2_041A0EBC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041A3EAA 5_2_041A3EAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0419BAA9 5_2_0419BAA9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041B36AA 5_2_041B36AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04191CA1 5_2_04191CA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041AA2A5 5_2_041AA2A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041AD8DB 5_2_041AD8DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041ACCD9 5_2_041ACCD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041ACAD5 5_2_041ACAD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041980C0 5_2_041980C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041ABEFD 5_2_041ABEFD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0419F0E9 5_2_0419F0E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041B3EE9 5_2_041B3EE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041B00EF 5_2_041B00EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041AE4E5 5_2_041AE4E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041A5515 5_2_041A5515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041B2B09 5_2_041B2B09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0419EF0C 5_2_0419EF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04191F38 5_2_04191F38
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041A8D3D 5_2_041A8D3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041A5333 5_2_041A5333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041A7D5B 5_2_041A7D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041B2D53 5_2_041B2D53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041AE955 5_2_041AE955
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0419D14C 5_2_0419D14C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041A437A 5_2_041A437A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041A017B 5_2_041A017B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041A5779 5_2_041A5779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04196B7A 5_2_04196B7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041A4F74 5_2_041A4F74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041A9774 5_2_041A9774
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0419F369 5_2_0419F369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04192194 5_2_04192194
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0419238C 5_2_0419238C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0419FB8E 5_2_0419FB8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041A0F86 5_2_041A0F86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041A6187 5_2_041A6187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041A3D85 5_2_041A3D85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041957B8 5_2_041957B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041AD1BC 5_2_041AD1BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041B17BD 5_2_041B17BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0419BFBE 5_2_0419BFBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041B07AA 5_2_041B07AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041A8FAE 5_2_041A8FAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041977A3 5_2_041977A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041AFBDE 5_2_041AFBDE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0419E7DE 5_2_0419E7DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041AC5D5 5_2_041AC5D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041AE1F8 5_2_041AE1F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041A27F9 5_2_041A27F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041A85FF 5_2_041A85FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04194BFC 5_2_04194BFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041955FF 5_2_041955FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041A07F4 5_2_041A07F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041A9DF5 5_2_041A9DF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_041A67E6 5_2_041A67E6
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10017BC1 appears 68 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 1001984C appears 48 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10017BC1 appears 68 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1001984C appears 48 times
Sample file is different than original file name gathered from version info
Source: CSxylfUJcL.dll Binary or memory string: OriginalFilenameUDPTool.EXE: vs CSxylfUJcL.dll
PE file contains strange resources
Source: CSxylfUJcL.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: CSxylfUJcL.dll Virustotal: Detection: 21%
Source: CSxylfUJcL.dll ReversingLabs: Detection: 32%
Source: CSxylfUJcL.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\CSxylfUJcL.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\CSxylfUJcL.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ovttmq\chwg.qvw",xKUTPckNvcwxvZR
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Ovttmq\chwg.qvw",DllRegisterServer
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\CSxylfUJcL.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\CSxylfUJcL.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ovttmq\chwg.qvw",xKUTPckNvcwxvZR Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Ovttmq\chwg.qvw",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal96.troj.evad.winDLL@22/7@0/29
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",#1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100126F9 FindResourceA,LoadResource,LockResource,FreeResource, 2_2_100126F9
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: CSxylfUJcL.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: CSxylfUJcL.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: CSxylfUJcL.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: CSxylfUJcL.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: CSxylfUJcL.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10019891 push ecx; ret 2_2_100198A4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10017C60 push ecx; ret 2_2_10017C73
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B81195 push cs; iretd 2_2_04B81197
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10019891 push ecx; ret 3_2_100198A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10017C60 push ecx; ret 3_2_10017C73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C01195 push cs; iretd 3_2_04C01197
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C71195 push cs; iretd 4_2_04C71197
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04191195 push cs; iretd 5_2_04191197
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10023A79 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 2_2_10023A79
PE file contains an invalid checksum
Source: CSxylfUJcL.dll Static PE information: real checksum: 0x66354 should be: 0x71965
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\CSxylfUJcL.dll

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Ovttmq\chwg.qvw Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Ovttmq\chwg.qvw:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Abljunuakaktiaef\sdkjkrifiykc.rkg:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1000D804 IsIconic,GetWindowPlacement,GetWindowRect, 2_2_1000D804
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10008B90 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 2_2_10008B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000D804 IsIconic,GetWindowPlacement,GetWindowRect, 3_2_1000D804
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10008B90 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 3_2_10008B90
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\rundll32.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 4996 Thread sleep time: -150000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6896 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7100 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\regsvr32.exe API coverage: 4.6 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 5.0 %
Source: C:\Windows\SysWOW64\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000018.00000002.863191376.000001B96A062000.00000004.00000001.sdmp Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000015.00000002.501016331.000002DCEF4C6000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.500795053.000002DCEF470000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.501039542.000002DCEF4EA000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.862775563.000001B96482A000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.863177816.000001B96A055000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_1001C49A
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10023A79 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 2_2_10023A79
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100178B6 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,__initptd,GetCurrentThreadId,__freeptd, 2_2_100178B6
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04B8F7F7 mov eax, dword ptr fs:[00000030h] 2_2_04B8F7F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04C0F7F7 mov eax, dword ptr fs:[00000030h] 3_2_04C0F7F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04C7F7F7 mov eax, dword ptr fs:[00000030h] 4_2_04C7F7F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0419F7F7 mov eax, dword ptr fs:[00000030h] 5_2_0419F7F7
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_1001C49A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10021743 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_10021743
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100167D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_100167D5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001FC21 SetUnhandledExceptionFilter,__encode_pointer, 2_2_1001FC21
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001FC43 __decode_pointer,SetUnhandledExceptionFilter, 2_2_1001FC43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_1001C49A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10021743 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_10021743
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100167D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_100167D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001FC21 SetUnhandledExceptionFilter,__encode_pointer, 3_2_1001FC21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001FC43 __decode_pointer,SetUnhandledExceptionFilter, 3_2_1001FC43

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 69.16.218.101 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.138.98.34 80 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",#1 Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 2_2_10027704
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 2_2_1000A803
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA, 2_2_10023880
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 3_2_10027704
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 3_2_1000A803
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 3_2_10023880
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10022853 cpuid 2_2_10022853
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001F914 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 2_2_1001F914
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100178B6 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,__initptd,GetCurrentThreadId,__freeptd, 2_2_100178B6

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 4.2.rundll32.exe.5280000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5110000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4690000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4b30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.47c0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4820000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4060000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4820000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4060000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.3230000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.52b0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.47f0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4690000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5410000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4c00000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2a80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4190000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.47c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4b30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5220000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4850000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5250000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5280000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.53e0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4a40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.46c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4c70000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.51f0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.51c0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2a80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.4b80000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5110000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2ad0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5140000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.51c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.53e0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5220000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.3230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4a40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.353899484.00000000047F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.354941726.0000000005411000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.354039628.0000000004851000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.353678279.00000000046C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.354572676.0000000005220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.397064444.0000000002A80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.354868089.00000000053E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.354398198.00000000051C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.354782751.00000000052B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.353971003.0000000004820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.354142339.0000000005110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.353601392.0000000004690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.397100803.0000000002AD1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.353774398.0000000004C71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.351221459.0000000004C01000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.350955081.0000000004A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.353804496.00000000047C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.354700642.0000000005280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.354625308.0000000005251000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.354494384.00000000051F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.352946917.0000000004060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.354257894.0000000005141000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.353590253.0000000004B30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.396217963.0000000003230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.353110002.0000000004191000.00000020.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100011C0 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt, 2_2_100011C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100011C0 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt, 3_2_100011C0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553113 Sample: CSxylfUJcL Startdate: 14/01/2022 Architecture: WINDOWS Score: 96 37 210.57.209.142 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->37 39 85.214.67.203 STRATOSTRATOAGDE Germany 2->39 41 23 other IPs or domains 2->41 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Found malware configuration 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 4 other signatures 2->63 9 loaddll32.exe 1 2->9         started        11 svchost.exe 9 1 2->11         started        14 svchost.exe 1 2->14         started        16 3 other processes 2->16 signatures3 process4 dnsIp5 18 rundll32.exe 2 9->18         started        21 cmd.exe 1 9->21         started        23 regsvr32.exe 9->23         started        43 127.0.0.1 unknown unknown 11->43 process6 signatures7 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->55 25 rundll32.exe 18->25         started        27 rundll32.exe 21->27         started        29 rundll32.exe 23->29         started        process8 process9 31 rundll32.exe 25->31         started        35 rundll32.exe 2 27->35         started        dnsIp10 45 45.138.98.34, 49766, 80 M247GB Germany 31->45 47 69.16.218.101, 49770, 8080 LIQUIDWEBUS United States 31->47 51 System process connects to network (likely due to code injection or exploit) 31->51 49 192.168.2.1 unknown unknown 35->49 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->53 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
207.148.81.119
 unknown United States
20473 AS-CHOOPAUS true
104.131.62.48
 unknown United States
14061 DIGITALOCEAN-ASNUS true
85.214.67.203
 unknown Germany
6724 STRATOSTRATOAGDE true
191.252.103.16
 unknown Brazil
27715 LocawebServicosdeInternetSABR true
168.197.250.14
 unknown Argentina
264776 OmarAnselmoRipollTDCNETAR true
66.42.57.149
 unknown United States
20473 AS-CHOOPAUS true
185.148.168.15
 unknown Germany
44780 EVERSCALE-ASDE true
51.210.242.234
 unknown France
16276 OVHFR true
217.182.143.207
 unknown France
16276 OVHFR true
69.16.218.101
 unknown United States
32244 LIQUIDWEBUS true
159.69.237.188
 unknown Germany
24940 HETZNER-ASDE true
45.138.98.34
 unknown Germany
9009 M247GB true
116.124.128.206
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
78.46.73.125
 unknown Germany
24940 HETZNER-ASDE true
37.59.209.141
 unknown France
16276 OVHFR true
210.57.209.142
 unknown Indonesia
38142 UNAIR-AS-IDUniversitasAirlanggaID true
185.148.168.220
 unknown Germany
44780 EVERSCALE-ASDE true
54.37.228.122
 unknown France
16276 OVHFR true
190.90.233.66
 unknown Colombia
18678 INTERNEXASAESPCO true
142.4.219.173
 unknown Canada
16276 OVHFR true
54.38.242.185
 unknown France
16276 OVHFR true
195.154.146.35
 unknown France
12876 OnlineSASFR true
195.77.239.39
 unknown Spain
60493 FICOSA-ASES true
78.47.204.80
 unknown Germany
24940 HETZNER-ASDE true
37.44.244.177
 unknown Germany
47583 AS-HOSTINGERLT true
62.171.178.147
 unknown United Kingdom
51167 CONTABODE true
128.199.192.135
 unknown United Kingdom
14061 DIGITALOCEAN-ASNUS true

Private
IP
192.168.2.1
127.0.0.1

Contacted Domains

Name IP Active
windowsupdate.s.llnwi.net 41.63.96.128 true