Analysis Report zGeK5so94c

Overview

General Information

Sample Name: zGeK5so94c (renamed file extension from none to dll)
Analysis ID: 344305
MD5: 49fbffd7602b52f05848a6016d42ec89
SHA1: b57bb387a15b3c0e10a236f3861420a9dac980cb
SHA256: 1859099c09c69aa811c525e9e70787c49048e3c24814d31ea2a17905cfad9d18

Most interesting Screenshot:

Detection

Emotet
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Sigma detected: Suspicious Call by Ordinal
Uses known network protocols on non-standard ports
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to delete services
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (may stop execution after accessing registry keys)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: zGeK5so94c.dll Avira: detected
Machine Learning detection for sample
Source: zGeK5so94c.dll Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_6F545700 RegOpenKeyA,EncryptFileA,VirtualAlloc,Sleep,ExitProcess, 16_2_6F545700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_6F542180 Sleep,Module32NextW,GetCommandLineW,CommandLineToArgvW,lstrlenW,CryptStringToBinaryW,LocalFree,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,OpenProcess,QueryFullProcessImageNameW,CloseHandle, 16_2_6F542180

Compliance:

barindex
Uses 32bit PE files
Source: zGeK5so94c.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: zGeK5so94c.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbols
Source: Binary string: aqmjrtmCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000003.00000002.673102798.0000000002E72000.00000004.00000010.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000003.00000003.668945836.00000000050C1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000003.00000003.668945836.00000000050C1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000003.00000003.668945836.00000000050C1000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000003.00000003.668945836.00000000050C1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000003.00000003.668945836.00000000050C1000.00000004.00000001.sdmp
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_6F558C1D FindFirstFileExA, 16_2_6F558C1D

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404322 ET CNC Feodo Tracker Reported CnC Server TCP group 12 192.168.2.4:49745 -> 190.55.186.229:80
Source: Traffic Snort IDS: 2404326 ET CNC Feodo Tracker Reported CnC Server TCP group 14 192.168.2.4:49750 -> 203.157.152.9:7080
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 7080
Source: unknown Network traffic detected: HTTP traffic on port 7080 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 7080
Source: unknown Network traffic detected: HTTP traffic on port 7080 -> 49750
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49750 -> 203.157.152.9:7080
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 203.157.152.9 203.157.152.9
Source: Joe Sandbox View IP Address: 190.55.186.229 190.55.186.229
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: MOPH-TH-APInformationTechnologyOfficeSG MOPH-TH-APInformationTechnologyOfficeSG
Source: Joe Sandbox View ASN Name: TelecentroSAAR TelecentroSAAR
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.4:49745 -> 190.55.186.229:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /2ijyf1/txor3som/z3prsr3ev/l8z0/1k9au09l0vb/ HTTP/1.1DNT: 0Referer: 203.157.152.9/2ijyf1/txor3som/z3prsr3ev/l8z0/1k9au09l0vb/Content-Type: multipart/form-data; boundary=---------FFexYarq3User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 203.157.152.9:7080Content-Length: 6212Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /k8idqdr2/ HTTP/1.1DNT: 0Referer: 203.157.152.9/k8idqdr2/Content-Type: multipart/form-data; boundary=-----------QeejNQ4AFByUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 203.157.152.9:7080Content-Length: 5732Connection: Keep-AliveCache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: svchost.exe, 0000000E.00000002.780262816.000001D9CB130000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000E.00000002.780262816.000001D9CB130000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000E.00000002.780262816.000001D9CB130000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-01-22T08:15:59.5362912Z||.||7d25cb34-9460-4ea4-a627-d9782709c6d8||1152921505692809496||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000E.00000002.780262816.000001D9CB130000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-01-22T08:15:59.5362912Z||.||7d25cb34-9460-4ea4-a627-d9782709c6d8||1152921505692809496||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000E.00000003.767667320.000001D9CB1DF000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000E.00000003.767667320.000001D9CB1DF000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000E.00000003.759251389.000001D9CB17B000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000000E.00000003.759251389.000001D9CB17B000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000000E.00000003.759251389.000001D9CB17B000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000000E.00000003.759251389.000001D9CB17B000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":374031458,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.38.3802.0_neutral_~_ytsefhwckbdv6","PackageId":"a6dc1cf8-bc09-462b-7e62-6a662d08d291-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.38.3802.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.38.3802.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 0000000E.00000003.759251389.000001D9CB17B000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":374031458,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.38.3802.0_neutral_~_ytsefhwckbdv6","PackageId":"a6dc1cf8-bc09-462b-7e62-6a662d08d291-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.38.3802.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.38.3802.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 0000000E.00000003.759251389.000001D9CB17B000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":374031458,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.38.3802.0_neutral_~_ytsefhwckbdv6","PackageId":"a6dc1cf8-bc09-462b-7e62-6a662d08d291-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.38.3802.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.38.3802.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 0000000E.00000003.759319799.000001D9CB19C000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000000E.00000003.759319799.000001D9CB19C000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000000E.00000003.759319799.000001D9CB19C000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: unknown HTTP traffic detected: POST /2ijyf1/txor3som/z3prsr3ev/l8z0/1k9au09l0vb/ HTTP/1.1DNT: 0Referer: 203.157.152.9/2ijyf1/txor3som/z3prsr3ev/l8z0/1k9au09l0vb/Content-Type: multipart/form-data; boundary=---------FFexYarq3User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 203.157.152.9:7080Content-Length: 6212Connection: Keep-AliveCache-Control: no-cache
Source: svchost.exe, 0000000E.00000002.780274733.000001D9CB13C000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 0000000E.00000002.780274733.000001D9CB13C000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 0000000E.00000002.780274733.000001D9CB13C000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 0000000E.00000002.780274733.000001D9CB13C000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 0000000E.00000003.759251389.000001D9CB17B000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 0000000E.00000003.759251389.000001D9CB17B000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 0000000E.00000003.758023398.000001D9CB17B000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/privacy
Source: svchost.exe, 0000000E.00000003.758023398.000001D9CB17B000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/terms
Source: svchost.exe, 0000000E.00000003.766031353.000001D9CB130000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.766166337.000001D9CB185000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 0000000E.00000003.766254523.000001D9CB163000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.766166337.000001D9CB185000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.766055144.000001D9CB16C000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 0000000E.00000003.766031353.000001D9CB130000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.766166337.000001D9CB185000.00000004.00000001.sdmp String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 0000000E.00000003.759251389.000001D9CB17B000.00000004.00000001.sdmp String found in binary or memory: https://instagram.com/hiddencity_
Source: svchost.exe, 0000000E.00000003.758023398.000001D9CB17B000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/ca-privacy-rights
Source: svchost.exe, 0000000E.00000003.758023398.000001D9CB17B000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/do-not-sell-my-info
Source: svchost.exe, 0000000E.00000003.766031353.000001D9CB130000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.766166337.000001D9CB185000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 0000000E.00000003.766031353.000001D9CB130000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.766166337.000001D9CB185000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/info/privacy

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: zGeK5so94c.dll, type: SAMPLE
Source: Yara match File source: 00000005.00000002.679972484.00000000729E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.678150026.00000000729E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.773552883.00000000729E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.680588418.00000000729E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 6.2.rundll32.exe.729e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.729e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.729e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.729e0000.1.unpack, type: UNPACKEDPE

System Summary:

barindex
Contains functionality to delete services
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_6F545CE0 GetModuleFileNameW,PathFindFileNameW,OpenSCManagerW,OpenServiceW,DeleteService,CloseHandle,RegCreateKeyExW,RegDeleteValueW,CloseHandle,MoveFileW,ExitProcess, 16_2_6F545CE0
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Hbjpd\ Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Hbjpd\usib.lxs:Zone.Identifier Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729FA0F1 4_2_729FA0F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729E6417 4_2_729E6417
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729F4A9E 4_2_729F4A9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729F1090 4_2_729F1090
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729EDE81 4_2_729EDE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729ECAA3 4_2_729ECAA3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729ED2DD 4_2_729ED2DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729FC6D9 4_2_729FC6D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729EA2D2 4_2_729EA2D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729EA6C9 4_2_729EA6C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729EECFE 4_2_729EECFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729ED6F0 4_2_729ED6F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729FD4E1 4_2_729FD4E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729E5418 4_2_729E5418
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729EE612 4_2_729EE612
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729E240F 4_2_729E240F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729E2208 4_2_729E2208
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729E1806 4_2_729E1806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729F2C05 4_2_729F2C05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729F4C37 4_2_729F4C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729F8A33 4_2_729F8A33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729F2631 4_2_729F2631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729FD02D 4_2_729FD02D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729F8C2B 4_2_729F8C2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729F0223 4_2_729F0223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729EA821 4_2_729EA821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729F5250 4_2_729F5250
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729E4844 4_2_729E4844
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729EE044 4_2_729EE044
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729E327F 4_2_729E327F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729FAA7B 4_2_729FAA7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729EBE74 4_2_729EBE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729F0672 4_2_729F0672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729EBB96 4_2_729EBB96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729FC192 4_2_729FC192
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729E4D90 4_2_729E4D90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729F3590 4_2_729F3590
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729F0B8A 4_2_729F0B8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729F1F88 4_2_729F1F88
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729F7187 4_2_729F7187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729F9DBF 4_2_729F9DBF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729F7BBE 4_2_729F7BBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729EF9BA 4_2_729EF9BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729EFFBA 4_2_729EFFBA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729F09B8 4_2_729F09B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729F47B5 4_2_729F47B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729E3FAF 4_2_729E3FAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729EADAF 4_2_729EADAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729F93AA 4_2_729F93AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729F2FA1 4_2_729F2FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729E2DDF 4_2_729E2DDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729E57D4 4_2_729E57D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729FDBC4 4_2_729FDBC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729E7FFE 4_2_729E7FFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729F1DFE 4_2_729F1DFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729E35FC 4_2_729E35FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729FBBF1 4_2_729FBBF1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729E67EF 4_2_729E67EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729FCBE7 4_2_729FCBE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729F6BE4 4_2_729F6BE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729EF5E0 4_2_729EF5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729FD70B 4_2_729FD70B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729E9106 4_2_729E9106
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729E5F04 4_2_729E5F04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729F4F04 4_2_729F4F04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729E3938 4_2_729E3938
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729E7B39 4_2_729E7B39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729E3336 4_2_729E3336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729FCF31 4_2_729FCF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729E7731 4_2_729E7731
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729E9D2F 4_2_729E9D2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729EA525 4_2_729EA525
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729F3F4F 4_2_729F3F4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729F434E 4_2_729F434E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729F9B4A 4_2_729F9B4A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729EC145 4_2_729EC145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729E7378 4_2_729E7378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729E3B74 4_2_729E3B74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729EF369 4_2_729EF369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729FA966 4_2_729FA966
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729EC364 4_2_729EC364
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729FB165 4_2_729FB165
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034F457F 16_2_034F457F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034EED71 16_2_034EED71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034F53C0 16_2_034F53C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034ECDD8 16_2_034ECDD8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034F9C76 16_2_034F9C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034E542D 16_2_034E542D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034E80E3 16_2_034E80E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034F8684 16_2_034F8684
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034EE2BE 16_2_034EE2BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034E4F4C 16_2_034E4F4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034E7547 16_2_034E7547
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034F9B59 16_2_034F9B59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034EBD6C 16_2_034EBD6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034EF96A 16_2_034EF96A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034ED77E 16_2_034ED77E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034F030B 16_2_034F030B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034E7D07 16_2_034E7D07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034EF100 16_2_034EF100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034E8F1B 16_2_034E8F1B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034E2B2B 16_2_034E2B2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034E1D2B 16_2_034E1D2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034EAB26 16_2_034EAB26
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034E773B 16_2_034E773B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034F2938 16_2_034F2938
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034E83CE 16_2_034E83CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034F19CB 16_2_034F19CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034F83C9 16_2_034F83C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034F9DC4 16_2_034F9DC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034E5FD2 16_2_034E5FD2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034F49EF 16_2_034F49EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034F8FE8 16_2_034F8FE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034E69FD 16_2_034E69FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034E13FB 16_2_034E13FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034E17FB 16_2_034E17FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034EBFF4 16_2_034EBFF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034EA7F1 16_2_034EA7F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034E918D 16_2_034E918D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034EDB9E 16_2_034EDB9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034EB394 16_2_034EB394
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034FABAE 16_2_034FABAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034E2FA7 16_2_034E2FA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034E43BC 16_2_034E43BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034EF3B2 16_2_034EF3B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034ECBB1 16_2_034ECBB1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034F0E49 16_2_034F0E49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034E6248 16_2_034E6248
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034EA05D 16_2_034EA05D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034F4C55 16_2_034F4C55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034F346E 16_2_034F346E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034F066A 16_2_034F066A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034EEA68 16_2_034EEA68
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034E5A60 16_2_034E5A60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034E3C7E 16_2_034E3C7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034F9A7E 16_2_034F9A7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034FB07B 16_2_034FB07B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034F300F 16_2_034F300F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034E7E0C 16_2_034E7E0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034ED405 16_2_034ED405
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034E3A00 16_2_034E3A00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034F961A 16_2_034F961A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034F2422 16_2_034F2422
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034F0820 16_2_034F0820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034EC232 16_2_034EC232
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034EFEC2 16_2_034EFEC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034E64D8 16_2_034E64D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034F38D2 16_2_034F38D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034EF6E3 16_2_034EF6E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034F3689 16_2_034F3689
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034E7A87 16_2_034E7A87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034E4685 16_2_034E4685
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034F7083 16_2_034F7083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034F229F 16_2_034F229F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034F2C97 16_2_034F2C97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034E2290 16_2_034E2290
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034E40AB 16_2_034E40AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034F12A3 16_2_034F12A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034FA6B2 16_2_034FA6B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_6F541CE0 16_2_6F541CE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_6F5497DF 16_2_6F5497DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_6F549D50 16_2_6F549D50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_6F54946D 16_2_6F54946D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_6F556B72 16_2_6F556B72
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_6F557329 16_2_6F557329
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_6F5493C0 16_2_6F5493C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_6F549A89 16_2_6F549A89
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_6F546987 16_2_6F546987
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_6F54A00B 16_2_6F54A00B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04489C76 17_2_04489C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0447542D 17_2_0447542D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_044780E3 17_2_044780E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0447E2BE 17_2_0447E2BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04489B59 17_2_04489B59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0447ED71 17_2_0447ED71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0448457F 17_2_0448457F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0447D77E 17_2_0447D77E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04477D07 17_2_04477D07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04472B2B 17_2_04472B2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_044853C0 17_2_044853C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_044783CE 17_2_044783CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0447CDD8 17_2_0447CDD8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04480E49 17_2_04480E49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04476248 17_2_04476248
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0447A05D 17_2_0447A05D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04484C55 17_2_04484C55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0448066A 17_2_0448066A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0448346E 17_2_0448346E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04475A60 17_2_04475A60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0447EA68 17_2_0447EA68
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0448B07B 17_2_0448B07B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04489A7E 17_2_04489A7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04473C7E 17_2_04473C7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0447D405 17_2_0447D405
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0448300F 17_2_0448300F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04473A00 17_2_04473A00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04477E0C 17_2_04477E0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0448961A 17_2_0448961A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04480820 17_2_04480820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04482422 17_2_04482422
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0447C232 17_2_0447C232
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0447FEC2 17_2_0447FEC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_044838D2 17_2_044838D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_044764D8 17_2_044764D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0447F6E3 17_2_0447F6E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04477A87 17_2_04477A87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04483689 17_2_04483689
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04474685 17_2_04474685
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04487083 17_2_04487083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04488684 17_2_04488684
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0448229F 17_2_0448229F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04472290 17_2_04472290
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04482C97 17_2_04482C97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_044812A3 17_2_044812A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_044740AB 17_2_044740AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0448A6B2 17_2_0448A6B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04477547 17_2_04477547
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04474F4C 17_2_04474F4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0447BD6C 17_2_0447BD6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0447F96A 17_2_0447F96A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0448030B 17_2_0448030B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0447F100 17_2_0447F100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04478F1B 17_2_04478F1B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0447AB26 17_2_0447AB26
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04471D2B 17_2_04471D2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04482938 17_2_04482938
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0447773B 17_2_0447773B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_044883C9 17_2_044883C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_044819CB 17_2_044819CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04489DC4 17_2_04489DC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04475FD2 17_2_04475FD2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04488FE8 17_2_04488FE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_044849EF 17_2_044849EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0447BFF4 17_2_0447BFF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0447A7F1 17_2_0447A7F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_044769FD 17_2_044769FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_044713FB 17_2_044713FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_044717FB 17_2_044717FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0447918D 17_2_0447918D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0447B394 17_2_0447B394
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0447DB9E 17_2_0447DB9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04472FA7 17_2_04472FA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0448ABAE 17_2_0448ABAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0447F3B2 17_2_0447F3B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0447CBB1 17_2_0447CBB1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_044743BC 17_2_044743BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0445564D 17_2_0445564D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0446024E 17_2_0446024E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0445564C 17_2_0445564C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0445945C 17_2_0445945C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0446405A 17_2_0446405A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04454E65 17_2_04454E65
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0445DE6D 17_2_0445DE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0445FA6F 17_2_0445FA6F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04462873 17_2_04462873
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0446907B 17_2_0446907B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04452E05 17_2_04452E05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04450C00 17_2_04450C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04455E02 17_2_04455E02
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0445C80A 17_2_0445C80A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04462414 17_2_04462414
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04457211 17_2_04457211
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04468A1F 17_2_04468A1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0445FC25 17_2_0445FC25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04461827 17_2_04461827
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0445B637 17_2_0445B637
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04454832 17_2_04454832
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0445F2C7 17_2_0445F2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0445D6C3 17_2_0445D6C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04462CD7 17_2_04462CD7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_044558D6 17_2_044558D6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_044558DD 17_2_044558DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_044574E8 17_2_044574E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0445EAE8 17_2_0445EAE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04468E83 17_2_04468E83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0446A480 17_2_0446A480
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04453083 17_2_04453083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04462A8E 17_2_04462A8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04456E8C 17_2_04456E8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04466488 17_2_04466488
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04453A8A 17_2_04453A8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04467A89 17_2_04467A89
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04451695 17_2_04451695
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0446209C 17_2_0446209C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_044616A4 17_2_044616A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_044606A8 17_2_044606A8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04469AB7 17_2_04469AB7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_044534B0 17_2_044534B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04456B40 17_2_04456B40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0445694C 17_2_0445694C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04454351 17_2_04454351
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04468F5E 17_2_04468F5E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0445E176 17_2_0445E176
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0445B171 17_2_0445B171
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0445E505 17_2_0445E505
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0445710C 17_2_0445710C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0445F710 17_2_0445F710
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04458320 17_2_04458320
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04451130 17_2_04451130
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04451F30 17_2_04451F30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04461D3D 17_2_04461D3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_044537C1 17_2_044537C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_044677CE 17_2_044677CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_044691C9 17_2_044691C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_044553D7 17_2_044553D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_044577D3 17_2_044577D3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_044683ED 17_2_044683ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04463DF4 17_2_04463DF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04459BF6 17_2_04459BF6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0445B3F9 17_2_0445B3F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04463984 17_2_04463984
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0445CB83 17_2_0445CB83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0445A799 17_2_0445A799
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0445CFA3 17_2_0445CFA3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_044523AC 17_2_044523AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0445E7B7 17_2_0445E7B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0445BFB6 17_2_0445BFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_04469FB3 17_2_04469FB3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_0370457F 18_2_0370457F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036FD77E 18_2_036FD77E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036FED71 18_2_036FED71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_03709B59 18_2_03709B59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036F2B2B 18_2_036F2B2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036F7D07 18_2_036F7D07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036F83CE 18_2_036F83CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_037053C0 18_2_037053C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036FCDD8 18_2_036FCDD8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_03709C76 18_2_03709C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036F542D 18_2_036F542D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036F80E3 18_2_036F80E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036FE2BE 18_2_036FE2BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_03708684 18_2_03708684
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036FBD6C 18_2_036FBD6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036FF96A 18_2_036FF96A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036F4F4C 18_2_036F4F4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036F7547 18_2_036F7547
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036F1D2B 18_2_036F1D2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_03702938 18_2_03702938
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036FAB26 18_2_036FAB26
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036F773B 18_2_036F773B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036FF100 18_2_036FF100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036F8F1B 18_2_036F8F1B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_0370030B 18_2_0370030B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036F69FD 18_2_036F69FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036F13FB 18_2_036F13FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036F17FB 18_2_036F17FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_03708FE8 18_2_03708FE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036FBFF4 18_2_036FBFF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036FA7F1 18_2_036FA7F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_037049EF 18_2_037049EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_03709DC4 18_2_03709DC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_037083C9 18_2_037083C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_037019CB 18_2_037019CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036F5FD2 18_2_036F5FD2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036F2FA7 18_2_036F2FA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036F43BC 18_2_036F43BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036FF3B2 18_2_036FF3B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036FCBB1 18_2_036FCBB1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_0370ABAE 18_2_0370ABAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036F918D 18_2_036F918D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036FDB9E 18_2_036FDB9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036FB394 18_2_036FB394
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036FEA68 18_2_036FEA68
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_0370B07B 18_2_0370B07B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_03709A7E 18_2_03709A7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036F5A60 18_2_036F5A60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036F3C7E 18_2_036F3C7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_0370066A 18_2_0370066A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_0370346E 18_2_0370346E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_03704C55 18_2_03704C55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036F6248 18_2_036F6248
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036FA05D 18_2_036FA05D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_03700E49 18_2_03700E49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_03700820 18_2_03700820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_03702422 18_2_03702422
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036FC232 18_2_036FC232
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036F7E0C 18_2_036F7E0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_0370961A 18_2_0370961A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036FD405 18_2_036FD405
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036F3A00 18_2_036F3A00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_0370300F 18_2_0370300F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036FF6E3 18_2_036FF6E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_037038D2 18_2_037038D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036FFEC2 18_2_036FFEC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036F64D8 18_2_036F64D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_0370A6B2 18_2_0370A6B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036F40AB 18_2_036F40AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_037012A3 18_2_037012A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_03702C97 18_2_03702C97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036F7A87 18_2_036F7A87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036F4685 18_2_036F4685
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_0370229F 18_2_0370229F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_03707083 18_2_03707083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_03703689 18_2_03703689
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036F2290 18_2_036F2290
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047A9C76 20_2_047A9C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0479542D 20_2_0479542D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047980E3 20_2_047980E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0479E2BE 20_2_0479E2BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047A457F 20_2_047A457F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0479D77E 20_2_0479D77E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0479ED71 20_2_0479ED71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_04792B2B 20_2_04792B2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_04797D07 20_2_04797D07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0479CDD8 20_2_0479CDD8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047983CE 20_2_047983CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047A53C0 20_2_047A53C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047AB07B 20_2_047AB07B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047A9A7E 20_2_047A9A7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_04793C7E 20_2_04793C7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047A066A 20_2_047A066A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0479EA68 20_2_0479EA68
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047A346E 20_2_047A346E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_04795A60 20_2_04795A60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0479A05D 20_2_0479A05D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047A4C55 20_2_047A4C55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_04796248 20_2_04796248
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047A0E49 20_2_047A0E49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0479C232 20_2_0479C232
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047A2422 20_2_047A2422
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047A0820 20_2_047A0820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047A961A 20_2_047A961A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047A300F 20_2_047A300F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_04797E0C 20_2_04797E0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_04793A00 20_2_04793A00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0479D405 20_2_0479D405
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0479F6E3 20_2_0479F6E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047964D8 20_2_047964D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047A38D2 20_2_047A38D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0479FEC2 20_2_0479FEC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047AA6B2 20_2_047AA6B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047940AB 20_2_047940AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047A12A3 20_2_047A12A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047A229F 20_2_047A229F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_04792290 20_2_04792290
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047A2C97 20_2_047A2C97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047A3689 20_2_047A3689
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047A7083 20_2_047A7083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_04794685 20_2_04794685
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_04797A87 20_2_04797A87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047A8684 20_2_047A8684
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0479F96A 20_2_0479F96A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0479BD6C 20_2_0479BD6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047A9B59 20_2_047A9B59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_04794F4C 20_2_04794F4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_04797547 20_2_04797547
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0479773B 20_2_0479773B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047A2938 20_2_047A2938
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_04791D2B 20_2_04791D2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0479AB26 20_2_0479AB26
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_04798F1B 20_2_04798F1B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047A030B 20_2_047A030B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0479F100 20_2_0479F100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047913FB 20_2_047913FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047917FB 20_2_047917FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047969FD 20_2_047969FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0479A7F1 20_2_0479A7F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0479BFF4 20_2_0479BFF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047A8FE8 20_2_047A8FE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047A49EF 20_2_047A49EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_04795FD2 20_2_04795FD2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047A19CB 20_2_047A19CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047A83C9 20_2_047A83C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047A9DC4 20_2_047A9DC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047943BC 20_2_047943BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0479CBB1 20_2_0479CBB1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0479F3B2 20_2_0479F3B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_047AABAE 20_2_047AABAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_04792FA7 20_2_04792FA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0479DB9E 20_2_0479DB9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0479B394 20_2_0479B394
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0479918D 20_2_0479918D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_04614E65 20_2_04614E65
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0461DE6D 20_2_0461DE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0461FA6F 20_2_0461FA6F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_04622873 20_2_04622873
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0462907B 20_2_0462907B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0461564D 20_2_0461564D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0462024E 20_2_0462024E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0461564C 20_2_0461564C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0462405A 20_2_0462405A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0461945C 20_2_0461945C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0461FC25 20_2_0461FC25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_04621827 20_2_04621827
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_04614832 20_2_04614832
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0461B637 20_2_0461B637
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_04610C00 20_2_04610C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_04615E02 20_2_04615E02
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_04612E05 20_2_04612E05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0461C80A 20_2_0461C80A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_04617211 20_2_04617211
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_04622414 20_2_04622414
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_04628A1F 20_2_04628A1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_046174E8 20_2_046174E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0461EAE8 20_2_0461EAE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0461D6C3 20_2_0461D6C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0461F2C7 20_2_0461F2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_04622CD7 20_2_04622CD7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_046158D6 20_2_046158D6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_046158DD 20_2_046158DD
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6F547F00 appears 51 times
One or more processes crash
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 7100 -ip 7100
PE file contains strange resources
Source: pixmxoo.dll.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: pixmxoo.dll.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: pixmxoo.dll.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: pixmxoo.dll.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE file does not import any functions
Source: zGeK5so94c.dll Static PE information: No import functions for PE file found
Uses 32bit PE files
Source: zGeK5so94c.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: zGeK5so94c.dll Static PE information: Section: .data ZLIB complexity 1.0107421875
Source: classification engine Classification label: mal88.troj.evad.winDLL@61/8@0/3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_6F541CE0 Sleep,CreateToolhelp32Snapshot,GetLastError,Sleep,GetModuleFileNameW,PathFindFileNameW,Module32FirstW,Module32NextW,Module32NextW,FindCloseChangeNotification,Sleep,Module32NextW,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,OpenProcess,QueryFullProcessImageNameW,CloseHandle,__ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ,std::ios_base::_Ios_base_dtor, 16_2_6F541CE0
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7100
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:7156:64:WilError_01
Source: C:\Windows\System32\svchost.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD6FB.tmp Jump to behavior
Source: zGeK5so94c.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\zGeK5so94c.dll,Control_RunDLL
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\zGeK5so94c.dll'
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 7100 -ip 7100
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 240
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\zGeK5so94c.dll,Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Desktop\zGeK5so94c.dll',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hbjpd\usib.lxs',dldZeiafGYsN
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\Hbjpd\usib.lxs',#1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\Hbjpd\pixmxoo.dll',#1 NAQAAB4AAABIAGIAagBwAGQAXAB1AHMAaQBiAC4AbAB4AHMAAAA=
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hbjpd\usib.lxs',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hlqxmsfzi\jjvjowsk.xoz',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bdtgy\atyx.hvl',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cfwgvspim\fwvopxwu.wpy',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ibbigqfuoubc\tiynxefumvm.jsi',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Aziiwkqaqp\dnweyyfur.lyr',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uchtpmhcpt\nfuoltapn.fge',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zvrxg\husq.avr',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jcoinynbga\etdgpznst.qoo',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bfurjavtsbwkajdv\sfvtpwqlhvedlny.xdk',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Msjhyngbojq\bihctgwrjw.jsh',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mntpro\pwmgi.sow',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sioetxuvrihjyxu\wsarziebmecgqp.weo',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jvotvplywpzb\qwoawgsuzao.fmz',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ofqhxlaxbkixqlny\iogmsr.ktr',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Usfyyrevasc\hoztidaylv.ruq',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wzvizgyhx\mlhiyaxu.lik',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Tthpthgifqmjjt\idvrfaaidqwxo.flr',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jdedkdp\loyrno.rpx',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwmln\clyk.jxd',Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\zGeK5so94c.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 7100 -ip 7100 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 240 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Desktop\zGeK5so94c.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hbjpd\usib.lxs',dldZeiafGYsN Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\Hbjpd\usib.lxs',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\Hbjpd\pixmxoo.dll',#1 NAQAAB4AAABIAGIAagBwAGQAXAB1AHMAaQBiAC4AbAB4AHMAAAA= Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hbjpd\usib.lxs',Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hlqxmsfzi\jjvjowsk.xoz',Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bdtgy\atyx.hvl',Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cfwgvspim\fwvopxwu.wpy',Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ibbigqfuoubc\tiynxefumvm.jsi',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Aziiwkqaqp\dnweyyfur.lyr',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uchtpmhcpt\nfuoltapn.fge',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zvrxg\husq.avr',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jcoinynbga\etdgpznst.qoo',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bfurjavtsbwkajdv\sfvtpwqlhvedlny.xdk',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Msjhyngbojq\bihctgwrjw.jsh',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mntpro\pwmgi.sow',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sioetxuvrihjyxu\wsarziebmecgqp.weo',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jvotvplywpzb\qwoawgsuzao.fmz',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ofqhxlaxbkixqlny\iogmsr.ktr',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Usfyyrevasc\hoztidaylv.ruq',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wzvizgyhx\mlhiyaxu.lik',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Tthpthgifqmjjt\idvrfaaidqwxo.flr',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jdedkdp\loyrno.rpx',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwmln\clyk.jxd',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: zGeK5so94c.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: aqmjrtmCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000003.00000002.673102798.0000000002E72000.00000004.00000010.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000003.00000003.668945836.00000000050C1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000003.00000003.668945836.00000000050C1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000003.00000003.668945836.00000000050C1000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000003.00000003.668945836.00000000050C1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000003.00000003.668945836.00000000050C1000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729E100B push ss; iretd 4_2_729E100C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_6F547F46 push ecx; ret 16_2_6F547F59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_6F5478D6 push ecx; ret 16_2_6F5478E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0445F1F7 push es; ret 17_2_0445F1F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0461F1F7 push es; ret 20_2_0461F1F8

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Hbjpd\pixmxoo.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Hbjpd\pixmxoo.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Hbjpd\usib.lxs:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Hbjpd\usib.lxs:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Hlqxmsfzi\jjvjowsk.xoz:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Bdtgy\atyx.hvl:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Cfwgvspim\fwvopxwu.wpy:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Ibbigqfuoubc\tiynxefumvm.jsi:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Aziiwkqaqp\dnweyyfur.lyr:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Uchtpmhcpt\nfuoltapn.fge:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Zvrxg\husq.avr:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Jcoinynbga\etdgpznst.qoo:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Bfurjavtsbwkajdv\sfvtpwqlhvedlny.xdk:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Msjhyngbojq\bihctgwrjw.jsh:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Mntpro\pwmgi.sow:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Sioetxuvrihjyxu\wsarziebmecgqp.weo:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Jvotvplywpzb\qwoawgsuzao.fmz:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Ofqhxlaxbkixqlny\iogmsr.ktr:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Usfyyrevasc\hoztidaylv.ruq:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Wzvizgyhx\mlhiyaxu.lik:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Tthpthgifqmjjt\idvrfaaidqwxo.flr:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Jdedkdp\loyrno.rpx:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Mwmln\clyk.jxd:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Oxuscqjzcbk\nutudjdnrb.pvg:Zone.Identifier read attributes | delete
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 7080
Source: unknown Network traffic detected: HTTP traffic on port 7080 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 7080
Source: unknown Network traffic detected: HTTP traffic on port 7080 -> 49750
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_6F546987 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 16_2_6F546987
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\rundll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Windows\SysWOW64\rundll32.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_6F541CE0 Sleep,CreateToolhelp32Snapshot,GetLastError,Sleep,GetModuleFileNameW,PathFindFileNameW,Module32FirstW,Module32NextW,Module32NextW,FindCloseChangeNotification,Sleep,Module32NextW,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,OpenProcess,QueryFullProcessImageNameW,CloseHandle,__ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ,std::ios_base::_Ios_base_dtor, 16_2_6F541CE0
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 1848 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_6F558C1D FindFirstFileExA, 16_2_6F558C1D
Source: WerFault.exe, 00000003.00000002.673636328.0000000004CA0000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.725933870.000001FBFCD40000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.740940384.00000269B6940000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.780829637.000001D9CB800000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 0000000E.00000002.779226551.000001D9CA884000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWp
Source: svchost.exe, 0000000E.00000002.779508154.000001D9CA8EA000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000003.00000002.673636328.0000000004CA0000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.725933870.000001FBFCD40000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.740940384.00000269B6940000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.780829637.000001D9CB800000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000003.00000002.673636328.0000000004CA0000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.725933870.000001FBFCD40000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.740940384.00000269B6940000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.780829637.000001D9CB800000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000003.00000002.673636328.0000000004CA0000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.725933870.000001FBFCD40000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.740940384.00000269B6940000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.780829637.000001D9CB800000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_6F54CF38 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_6F54CF38
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_6F541CE0 Sleep,CreateToolhelp32Snapshot,GetLastError,Sleep,GetModuleFileNameW,PathFindFileNameW,Module32FirstW,Module32NextW,Module32NextW,FindCloseChangeNotification,Sleep,Module32NextW,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,OpenProcess,QueryFullProcessImageNameW,CloseHandle,__ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ,std::ios_base::_Ios_base_dtor, 16_2_6F541CE0
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_729E3278 mov eax, dword ptr fs:[00000030h] 4_2_729E3278
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_034EF811 mov eax, dword ptr fs:[00000030h] 16_2_034EF811
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_6F54ED6E mov eax, dword ptr fs:[00000030h] 16_2_6F54ED6E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0447F811 mov eax, dword ptr fs:[00000030h] 17_2_0447F811
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0446C005 mov eax, dword ptr fs:[00000030h] 17_2_0446C005
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0445EC16 mov eax, dword ptr fs:[00000030h] 17_2_0445EC16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_036FF811 mov eax, dword ptr fs:[00000030h] 18_2_036FF811
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0479F811 mov eax, dword ptr fs:[00000030h] 20_2_0479F811
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0462C005 mov eax, dword ptr fs:[00000030h] 20_2_0462C005
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0461EC16 mov eax, dword ptr fs:[00000030h] 20_2_0461EC16
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_6F559BB5 GetProcessHeap, 16_2_6F559BB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_6F54CF38 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_6F54CF38
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_6F547D7E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_6F547D7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_6F547A38 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 16_2_6F547A38

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 203.157.152.9 168 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 190.55.186.229 80 Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: Sleep,CreateToolhelp32Snapshot,GetLastError,Sleep,GetModuleFileNameW,PathFindFileNameW,Module32FirstW,Module32NextW,Module32NextW,FindCloseChangeNotification,Sleep,Module32NextW,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,OpenProcess,QueryFullProcessImageNameW,CloseHandle,__ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ,std::ios_base::_Ios_base_dtor, explorer.exe 16_2_6F541CE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: Sleep,Module32NextW,GetCommandLineW,CommandLineToArgvW,lstrlenW,CryptStringToBinaryW,LocalFree,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,OpenProcess,QueryFullProcessImageNameW,CloseHandle, explorer.exe 16_2_6F542180
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 7100 -ip 7100 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 240 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\Hbjpd\pixmxoo.dll',#1 NAQAAB4AAABIAGIAagBwAGQAXAB1AHMAaQBiAC4AbAB4AHMAAAA= Jump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_6F547F5B cpuid 16_2_6F547F5B
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 16_2_6F55BF2E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 16_2_6F55BE06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 16_2_6F55BEA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 16_2_6F55BD12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 16_2_6F55BDBB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 16_2_6F55C47B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 16_2_6F551CC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 16_2_6F55BB43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 16_2_6F55C3AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 16_2_6F55C2A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 16_2_6F55C17E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 16_2_6F5520D9
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_6F547CA5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 16_2_6F547CA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_6F555774 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 16_2_6F555774
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: zGeK5so94c.dll, type: SAMPLE
Source: Yara match File source: 00000005.00000002.679972484.00000000729E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.678150026.00000000729E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.773552883.00000000729E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.680588418.00000000729E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 6.2.rundll32.exe.729e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.729e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.729e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.729e0000.1.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_6F5413C0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ, 16_2_6F5413C0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 344305 Sample: zGeK5so94c Startdate: 26/01/2021 Architecture: WINDOWS Score: 88 64 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->64 66 Antivirus / Scanner detection for submitted sample 2->66 68 Yara detected Emotet 2->68 70 3 other signatures 2->70 14 loaddll32.exe 1 2->14         started        16 svchost.exe 4 2->16         started        18 svchost.exe 1 2->18         started        20 2 other processes 2->20 process3 process4 22 rundll32.exe 14->22         started        24 WerFault.exe 3 9 14->24         started        26 WerFault.exe 16->26         started        process5 28 rundll32.exe 2 22->28         started        signatures6 80 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->80 31 rundll32.exe 28->31         started        process7 process8 33 rundll32.exe 13 31->33         started        dnsIp9 56 190.55.186.229, 80 TelecentroSAAR Argentina 33->56 58 203.157.152.9, 49750, 7080 MOPH-TH-APInformationTechnologyOfficeSG Thailand 33->58 54 C:\Windows\SysWOW64\Hbjpd\pixmxoo.dll, PE32 33->54 dropped 72 System process connects to network (likely due to code injection or exploit) 33->72 38 rundll32.exe 5 33->38         started        file10 signatures11 process12 signatures13 76 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->76 41 rundll32.exe 2 38->41         started        process14 dnsIp15 60 192.168.2.1 unknown unknown 41->60 78 Hides that the sample has been downloaded from the Internet (zone.identifier) 41->78 45 rundll32.exe 2 41->45         started        signatures16 process17 signatures18 82 Hides that the sample has been downloaded from the Internet (zone.identifier) 45->82 48 rundll32.exe 2 45->48         started        process19 signatures20 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 48->62 51 rundll32.exe 48->51         started        process21 signatures22 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 51->74
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
203.157.152.9
 unknown Thailand
9649 MOPH-TH-APInformationTechnologyOfficeSG true
190.55.186.229
 unknown Argentina
27747 TelecentroSAAR true

Private
IP
192.168.2.1

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://203.157.152.9:7080/k8idqdr2/ true
  • Avira URL Cloud: safe
 unknown
http://203.157.152.9:7080/2ijyf1/txor3som/z3prsr3ev/l8z0/1k9au09l0vb/ true
  • Avira URL Cloud: safe
 unknown