Analysis Report v8iFmF7XPp

Overview

General Information

Sample Name: v8iFmF7XPp (renamed file extension from none to dll)
Analysis ID: 386403
MD5: 57c45087c4228b685f2ba1739033aa52
SHA1: 0dfcdc6a288fe0792363b55cfa0009343239f7e7
SHA256: 0ef921657a9c7d429c65e2a5b74a235b75b3f14d1a0781bc5b174472913c2902
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Connects to several IPs in different countries
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 36.2.rundll32.exe.49f0000.1.unpack Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKmd+Pam+7HWeoRnZCmLHfQX3/RRijh6\nbPqYGHGBBGcEQb+EOfmkdG0BnTZfvg2iXKB8yhPQsHPR9nZoyMt7OWPYA080O3zM\nzB7+nWmsc0YPpSte4JR7YPZYIpxXZs7fFwIDAQAB", "C2 list": ["80.158.3.161:443", "80.158.51.209:8080", "80.158.35.51:80", "80.158.63.78:443", "80.158.53.167:80", "80.158.62.194:443", "80.158.59.174:8080", "95.213.236.64:8080", "72.186.136.247:443", "185.201.9.197:8080", "203.153.216.189:7080", "202.134.4.216:8080", "72.229.97.235:80", "24.179.13.119:80", "174.118.202.24:443", "74.208.45.104:8080", "51.89.36.180:443", "172.104.97.173:8080", "136.244.110.184:8080", "79.137.83.50:443", "61.19.246.238:443", "119.59.116.21:8080", "109.74.5.95:8080", "37.187.72.193:8080", "181.171.209.241:443", "100.37.240.62:80", "24.69.65.8:8080", "123.176.25.234:80", "74.128.121.17:80", "98.109.133.80:80", "161.0.153.60:80", "37.139.21.175:8080", "178.152.87.96:80", "172.86.188.251:8080", "94.23.237.171:443", "110.145.77.103:80", "5.39.91.110:7080", "46.105.131.79:8080", "120.150.60.189:80", "173.70.61.180:80", "59.21.235.119:80", "70.92.118.112:80", "41.185.28.84:8080", "201.241.127.190:80", "85.105.111.166:80", "152.170.205.73:80", "187.161.206.24:80", "118.83.154.64:443", "190.240.194.77:443", "202.134.4.211:8080", "78.24.219.147:8080", "89.216.122.92:80", "200.116.145.225:443", "197.211.245.21:80", "194.190.67.75:80", "139.99.158.11:443", "190.162.215.233:80", "115.94.207.99:443", "139.162.60.124:8080", "167.114.153.111:8080", "176.111.60.55:8080", "78.189.148.42:80", "134.209.144.106:443", "138.68.87.218:443", "110.145.101.66:443", "172.125.40.123:80", "87.106.139.101:8080", "70.183.211.3:80", "64.207.182.168:8080", "157.245.99.39:8080", "181.165.68.127:80", "62.171.142.179:8080", "75.177.207.146:80", "209.141.54.221:7080", "70.180.33.202:80", "109.116.245.80:80", "144.217.7.207:7080", "50.91.114.38:80", "139.59.60.244:8080", "97.120.3.198:80", "121.124.124.40:7080", "104.131.11.150:443", "67.170.250.203:443", "185.94.252.104:443", "220.245.198.194:80", "49.205.182.134:80", "50.245.107.73:443", "172.105.13.66:443", "5.2.212.254:80", "78.188.225.105:80", "120.150.218.241:443", "93.146.48.84:80", "110.145.11.73:80", "168.235.67.138:7080", "217.20.166.178:7080", "24.178.90.49:80", "95.9.5.93:80", "194.4.58.192:7080", "47.144.21.37:80"]}
Multi AV Scanner detection for dropped file
Source: C:\Windows\SysWOW64\Qfjc\jklaa.dll Virustotal: Detection: 74% Perma Link
Source: C:\Windows\SysWOW64\Qfjc\jklaa.dll Metadefender: Detection: 43% Perma Link
Source: C:\Windows\SysWOW64\Qfjc\jklaa.dll ReversingLabs: Detection: 86%
Multi AV Scanner detection for submitted file
Source: v8iFmF7XPp.dll Virustotal: Detection: 79% Perma Link
Source: v8iFmF7XPp.dll Metadefender: Detection: 50% Perma Link
Source: v8iFmF7XPp.dll ReversingLabs: Detection: 88%
Machine Learning detection for sample
Source: v8iFmF7XPp.dll Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_70332180 Sleep,Module32NextW,GetCommandLineW,CommandLineToArgvW,lstrlenW,CryptStringToBinaryW,LocalFree,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,OpenProcess,QueryFullProcessImageNameW,CloseHandle, 21_2_70332180
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_70335700 RegOpenKeyA,EncryptFileA,VirtualAlloc,Sleep,ExitProcess, 21_2_70335700

Compliance:

barindex
Uses 32bit PE files
Source: v8iFmF7XPp.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_70348C1D FindFirstFileExA, 21_2_70348C1D

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 80.158.3.161:443
Source: Malware configuration extractor IPs: 80.158.51.209:8080
Source: Malware configuration extractor IPs: 80.158.35.51:80
Source: Malware configuration extractor IPs: 80.158.63.78:443
Source: Malware configuration extractor IPs: 80.158.53.167:80
Source: Malware configuration extractor IPs: 80.158.62.194:443
Source: Malware configuration extractor IPs: 80.158.59.174:8080
Source: Malware configuration extractor IPs: 95.213.236.64:8080
Source: Malware configuration extractor IPs: 72.186.136.247:443
Source: Malware configuration extractor IPs: 185.201.9.197:8080
Source: Malware configuration extractor IPs: 203.153.216.189:7080
Source: Malware configuration extractor IPs: 202.134.4.216:8080
Source: Malware configuration extractor IPs: 72.229.97.235:80
Source: Malware configuration extractor IPs: 24.179.13.119:80
Source: Malware configuration extractor IPs: 174.118.202.24:443
Source: Malware configuration extractor IPs: 74.208.45.104:8080
Source: Malware configuration extractor IPs: 51.89.36.180:443
Source: Malware configuration extractor IPs: 172.104.97.173:8080
Source: Malware configuration extractor IPs: 136.244.110.184:8080
Source: Malware configuration extractor IPs: 79.137.83.50:443
Source: Malware configuration extractor IPs: 61.19.246.238:443
Source: Malware configuration extractor IPs: 119.59.116.21:8080
Source: Malware configuration extractor IPs: 109.74.5.95:8080
Source: Malware configuration extractor IPs: 37.187.72.193:8080
Source: Malware configuration extractor IPs: 181.171.209.241:443
Source: Malware configuration extractor IPs: 100.37.240.62:80
Source: Malware configuration extractor IPs: 24.69.65.8:8080
Source: Malware configuration extractor IPs: 123.176.25.234:80
Source: Malware configuration extractor IPs: 74.128.121.17:80
Source: Malware configuration extractor IPs: 98.109.133.80:80
Source: Malware configuration extractor IPs: 161.0.153.60:80
Source: Malware configuration extractor IPs: 37.139.21.175:8080
Source: Malware configuration extractor IPs: 178.152.87.96:80
Source: Malware configuration extractor IPs: 172.86.188.251:8080
Source: Malware configuration extractor IPs: 94.23.237.171:443
Source: Malware configuration extractor IPs: 110.145.77.103:80
Source: Malware configuration extractor IPs: 5.39.91.110:7080
Source: Malware configuration extractor IPs: 46.105.131.79:8080
Source: Malware configuration extractor IPs: 120.150.60.189:80
Source: Malware configuration extractor IPs: 173.70.61.180:80
Source: Malware configuration extractor IPs: 59.21.235.119:80
Source: Malware configuration extractor IPs: 70.92.118.112:80
Source: Malware configuration extractor IPs: 41.185.28.84:8080
Source: Malware configuration extractor IPs: 201.241.127.190:80
Source: Malware configuration extractor IPs: 85.105.111.166:80
Source: Malware configuration extractor IPs: 152.170.205.73:80
Source: Malware configuration extractor IPs: 187.161.206.24:80
Source: Malware configuration extractor IPs: 118.83.154.64:443
Source: Malware configuration extractor IPs: 190.240.194.77:443
Source: Malware configuration extractor IPs: 202.134.4.211:8080
Source: Malware configuration extractor IPs: 78.24.219.147:8080
Source: Malware configuration extractor IPs: 89.216.122.92:80
Source: Malware configuration extractor IPs: 200.116.145.225:443
Source: Malware configuration extractor IPs: 197.211.245.21:80
Source: Malware configuration extractor IPs: 194.190.67.75:80
Source: Malware configuration extractor IPs: 139.99.158.11:443
Source: Malware configuration extractor IPs: 190.162.215.233:80
Source: Malware configuration extractor IPs: 115.94.207.99:443
Source: Malware configuration extractor IPs: 139.162.60.124:8080
Source: Malware configuration extractor IPs: 167.114.153.111:8080
Source: Malware configuration extractor IPs: 176.111.60.55:8080
Source: Malware configuration extractor IPs: 78.189.148.42:80
Source: Malware configuration extractor IPs: 134.209.144.106:443
Source: Malware configuration extractor IPs: 138.68.87.218:443
Source: Malware configuration extractor IPs: 110.145.101.66:443
Source: Malware configuration extractor IPs: 172.125.40.123:80
Source: Malware configuration extractor IPs: 87.106.139.101:8080
Source: Malware configuration extractor IPs: 70.183.211.3:80
Source: Malware configuration extractor IPs: 64.207.182.168:8080
Source: Malware configuration extractor IPs: 157.245.99.39:8080
Source: Malware configuration extractor IPs: 181.165.68.127:80
Source: Malware configuration extractor IPs: 62.171.142.179:8080
Source: Malware configuration extractor IPs: 75.177.207.146:80
Source: Malware configuration extractor IPs: 209.141.54.221:7080
Source: Malware configuration extractor IPs: 70.180.33.202:80
Source: Malware configuration extractor IPs: 109.116.245.80:80
Source: Malware configuration extractor IPs: 144.217.7.207:7080
Source: Malware configuration extractor IPs: 50.91.114.38:80
Source: Malware configuration extractor IPs: 139.59.60.244:8080
Source: Malware configuration extractor IPs: 97.120.3.198:80
Source: Malware configuration extractor IPs: 121.124.124.40:7080
Source: Malware configuration extractor IPs: 104.131.11.150:443
Source: Malware configuration extractor IPs: 67.170.250.203:443
Source: Malware configuration extractor IPs: 185.94.252.104:443
Source: Malware configuration extractor IPs: 220.245.198.194:80
Source: Malware configuration extractor IPs: 49.205.182.134:80
Source: Malware configuration extractor IPs: 50.245.107.73:443
Source: Malware configuration extractor IPs: 172.105.13.66:443
Source: Malware configuration extractor IPs: 5.2.212.254:80
Source: Malware configuration extractor IPs: 78.188.225.105:80
Source: Malware configuration extractor IPs: 120.150.218.241:443
Source: Malware configuration extractor IPs: 93.146.48.84:80
Source: Malware configuration extractor IPs: 110.145.11.73:80
Source: Malware configuration extractor IPs: 168.235.67.138:7080
Source: Malware configuration extractor IPs: 217.20.166.178:7080
Source: Malware configuration extractor IPs: 24.178.90.49:80
Source: Malware configuration extractor IPs: 95.9.5.93:80
Source: Malware configuration extractor IPs: 194.4.58.192:7080
Source: Malware configuration extractor IPs: 47.144.21.37:80
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 31
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 97.120.3.198 97.120.3.198
Source: Joe Sandbox View IP Address: 97.120.3.198 97.120.3.198
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HOSTER-KZ HOSTER-KZ
Source: Joe Sandbox View ASN Name: CENTURYLINK-US-LEGACY-QWESTUS CENTURYLINK-US-LEGACY-QWESTUS
Source: Joe Sandbox View ASN Name: BEAMTELE-AS-APAtriaConvergenceTechnologiespvtltdIN BEAMTELE-AS-APAtriaConvergenceTechnologiespvtltdIN
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /fevfu215h/qkkg/exml9v/txegp7e76u/ HTTP/1.1DNT: 0Referer: 167.71.148.58/fevfu215h/qkkg/exml9v/txegp7e76u/Content-Type: multipart/form-data; boundary=-------------wy44tK3dAXXHMUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 167.71.148.58:443Content-Length: 6564Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /bnl4xmkzrn1f8bjj9e/kox9ds79wzqntiit/a219nkda3nv0ln83dk/ingn8/w1sz8lqi2h4xevvf153/ HTTP/1.1DNT: 0Referer: 167.71.148.58/bnl4xmkzrn1f8bjj9e/kox9ds79wzqntiit/a219nkda3nv0ln83dk/ingn8/w1sz8lqi2h4xevvf153/Content-Type: multipart/form-data; boundary=----------------------v7ja694BxhvFduv6zU4WRCUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 167.71.148.58:443Content-Length: 6484Connection: Keep-AliveCache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 184.66.18.83
Source: unknown TCP traffic detected without corresponding DNS query: 184.66.18.83
Source: unknown TCP traffic detected without corresponding DNS query: 184.66.18.83
Source: unknown TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown HTTP traffic detected: POST /fevfu215h/qkkg/exml9v/txegp7e76u/ HTTP/1.1DNT: 0Referer: 167.71.148.58/fevfu215h/qkkg/exml9v/txegp7e76u/Content-Type: multipart/form-data; boundary=-------------wy44tK3dAXXHMUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 167.71.148.58:443Content-Length: 6564Connection: Keep-AliveCache-Control: no-cache
Source: svchost.exe, 00000009.00000002.468110110.000002C419E89000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000009.00000002.468110110.000002C419E89000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000009.00000002.467760812.000002C419E14000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000009.00000002.467432440.000002C419D60000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000009.00000002.462704832.000002C4146AF000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enum
Source: svchost.exe, 00000010.00000002.309488340.0000023697213000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000C.00000002.462341811.0000021EB9E43000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000C.00000002.462341811.0000021EB9E43000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000C.00000002.462341811.0000021EB9E43000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000010.00000003.309188880.0000023697261000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000C.00000002.462341811.0000021EB9E43000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000C.00000002.462341811.0000021EB9E43000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000010.00000003.309202138.000002369725A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000010.00000002.309544105.000002369725C000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000010.00000003.309188880.0000023697261000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000010.00000002.309522855.000002369723D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000010.00000002.309544105.000002369725C000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000010.00000003.309188880.0000023697261000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000010.00000002.309538398.000002369724E000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000010.00000002.309544105.000002369725C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000010.00000003.309188880.0000023697261000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000010.00000002.309522855.000002369723D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000010.00000003.309188880.0000023697261000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000010.00000003.309188880.0000023697261000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000010.00000003.309188880.0000023697261000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000010.00000002.309527175.0000023697242000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000010.00000002.309527175.0000023697242000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000010.00000003.309188880.0000023697261000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000010.00000002.309544105.000002369725C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000010.00000003.309202138.000002369725A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000010.00000002.309544105.000002369725C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000010.00000002.309544105.000002369725C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000010.00000002.309551952.0000023697265000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000010.00000003.309188880.0000023697261000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000010.00000002.309522855.000002369723D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000010.00000003.287440739.0000023697232000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000010.00000002.309522855.000002369723D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000010.00000002.309488340.0000023697213000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.309522855.000002369723D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000010.00000003.287440739.0000023697232000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000010.00000003.309215409.0000023697240000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000010.00000003.287440739.0000023697232000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000010.00000002.309517521.000002369723B000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000010.00000002.309538398.000002369724E000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 00000003.00000002.198543812.0000000004411000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.198440197.0000000004310000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.343393255.0000000003350000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.343444128.0000000003371000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.462653731.0000000002391000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.463337654.0000000002720000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.rundll32.exe.2390000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4310000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2720000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2720000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.3370000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.3350000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4310000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4410000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.3350000.1.unpack, type: UNPACKEDPE

System Summary:

barindex
Contains functionality to delete services
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_70335CE0 GetModuleFileNameW,PathFindFileNameW,OpenSCManagerW,OpenServiceW,DeleteService,CloseHandle,RegCreateKeyExW,RegDeleteValueW,CloseHandle,MoveFileW,ExitProcess, 21_2_70335CE0
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Qfjc\ Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Qfjc\jojcnj.tmq:Zone.Identifier Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100180F1 3_2_100180F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10016156 3_2_10016156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100129C7 3_2_100129C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10013270 3_2_10013270
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10013A9C 3_2_10013A9C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100172D6 3_2_100172D6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10016BDE 3_2_10016BDE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000D3FF 3_2_1000D3FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001367C 3_2_1001367C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001669A 3_2_1001669A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10012E9C 3_2_10012E9C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04416C05 3_2_04416C05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04428978 3_2_04428978
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04414121 3_2_04414121
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0442C19B 3_2_0442C19B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04424DAD 3_2_04424DAD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04416E8A 3_2_04416E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0441E360 3_2_0441E360
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0441FB04 3_2_0441FB04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04419716 3_2_04419716
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0442533C 3_2_0442533C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0442A7E4 3_2_0442A7E4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_044183F0 3_2_044183F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0441D04B 3_2_0441D04B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0441884A 3_2_0441884A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04425060 3_2_04425060
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04420C65 3_2_04420C65
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0441F471 3_2_0441F471
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04421C79 3_2_04421C79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04414828 3_2_04414828
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_044268CB 3_2_044268CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0441B0E1 3_2_0441B0E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0442D08F 3_2_0442D08F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0442A094 3_2_0442A094
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0441F099 3_2_0441F099
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0441C8A5 3_2_0441C8A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0442C95E 3_2_0442C95E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04414D5F 3_2_04414D5F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04415D0E 3_2_04415D0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04422513 3_2_04422513
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0441E924 3_2_0441E924
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0441792C 3_2_0441792C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04425D36 3_2_04425D36
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_044239E1 3_2_044239E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04418994 3_2_04418994
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0442B19F 3_2_0442B19F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_044181A0 3_2_044181A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_044159B8 3_2_044159B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04427A50 3_2_04427A50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0441D668 3_2_0441D668
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0441766F 3_2_0441766F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0441427A 3_2_0441427A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04428E79 3_2_04428E79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04422A7D 3_2_04422A7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04411600 3_2_04411600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04423600 3_2_04423600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04413618 3_2_04413618
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0441DEC9 3_2_0441DEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0441D2CE 3_2_0441D2CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_044212D1 3_2_044212D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_044276D5 3_2_044276D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04429AE2 3_2_04429AE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04417AE4 3_2_04417AE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0442A2EA 3_2_0442A2EA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04420EA0 3_2_04420EA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_044272AE 3_2_044272AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_044112B6 3_2_044112B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04416ABA 3_2_04416ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04416342 3_2_04416342
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04412746 3_2_04412746
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04423745 3_2_04423745
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04425748 3_2_04425748
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04418F55 3_2_04418F55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0441DB5B 3_2_0441DB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04425B60 3_2_04425B60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04420705 3_2_04420705
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04428313 3_2_04428313
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0441BB28 3_2_0441BB28
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0441C3C2 3_2_0441C3C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_044133F4 3_2_044133F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0441B7F8 3_2_0441B7F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0441EF80 3_2_0441EF80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04413B97 3_2_04413B97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0441B3A2 3_2_0441B3A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04413FAB 3_2_04413FAB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_044167AC 3_2_044167AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0442CBB0 3_2_0442CBB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0441FFB5 3_2_0441FFB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050F457F 21_2_050F457F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050EED71 21_2_050EED71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050F53C0 21_2_050F53C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050ECDD8 21_2_050ECDD8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050E542D 21_2_050E542D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050F9C76 21_2_050F9C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050F8684 21_2_050F8684
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050EE2BE 21_2_050EE2BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050E80E3 21_2_050E80E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050F030B 21_2_050F030B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050E7D07 21_2_050E7D07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050EF100 21_2_050EF100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050E8F1B 21_2_050E8F1B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050E2B2B 21_2_050E2B2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050E1D2B 21_2_050E1D2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050EAB26 21_2_050EAB26
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050E773B 21_2_050E773B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050F2938 21_2_050F2938
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050E4F4C 21_2_050E4F4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050E7547 21_2_050E7547
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050F9B59 21_2_050F9B59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050EBD6C 21_2_050EBD6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050EF96A 21_2_050EF96A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050ED77E 21_2_050ED77E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050E918D 21_2_050E918D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050EDB9E 21_2_050EDB9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050EB394 21_2_050EB394
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050FABAE 21_2_050FABAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050E2FA7 21_2_050E2FA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050E43BC 21_2_050E43BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050EF3B2 21_2_050EF3B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050ECBB1 21_2_050ECBB1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050E83CE 21_2_050E83CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050F19CB 21_2_050F19CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050F83C9 21_2_050F83C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050F9DC4 21_2_050F9DC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050E5FD2 21_2_050E5FD2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050F49EF 21_2_050F49EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050F8FE8 21_2_050F8FE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050E69FD 21_2_050E69FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050E13FB 21_2_050E13FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050E17FB 21_2_050E17FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050EBFF4 21_2_050EBFF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050EA7F1 21_2_050EA7F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050F300F 21_2_050F300F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050E7E0C 21_2_050E7E0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050ED405 21_2_050ED405
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050E3A00 21_2_050E3A00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050F961A 21_2_050F961A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050F2422 21_2_050F2422
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050F0820 21_2_050F0820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050EC232 21_2_050EC232
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050F0E49 21_2_050F0E49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050E6248 21_2_050E6248
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050EA05D 21_2_050EA05D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050F4C55 21_2_050F4C55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050F346E 21_2_050F346E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050F066A 21_2_050F066A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050EEA68 21_2_050EEA68
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050E5A60 21_2_050E5A60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050E3C7E 21_2_050E3C7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050F9A7E 21_2_050F9A7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050FB07B 21_2_050FB07B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050F3689 21_2_050F3689
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050E7A87 21_2_050E7A87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050E4685 21_2_050E4685
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050F7083 21_2_050F7083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050F229F 21_2_050F229F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050F2C97 21_2_050F2C97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050E2290 21_2_050E2290
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050E40AB 21_2_050E40AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050F12A3 21_2_050F12A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050FA6B2 21_2_050FA6B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050EFEC2 21_2_050EFEC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050E64D8 21_2_050E64D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050F38D2 21_2_050F38D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050EF6E3 21_2_050EF6E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_70331CE0 21_2_70331CE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_7033A00B 21_2_7033A00B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_70336987 21_2_70336987
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_70339A89 21_2_70339A89
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_70347329 21_2_70347329
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_70346B72 21_2_70346B72
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_7033A392 21_2_7033A392
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_703393C0 21_2_703393C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_7033946D 21_2_7033946D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_70339D50 21_2_70339D50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_703397DF 21_2_703397DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04559C76 24_2_04559C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0454542D 24_2_0454542D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_045480E3 24_2_045480E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04558684 24_2_04558684
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0454E2BE 24_2_0454E2BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0454ED71 24_2_0454ED71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0454D77E 24_2_0454D77E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0455457F 24_2_0455457F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04547D07 24_2_04547D07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04542B2B 24_2_04542B2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0454CDD8 24_2_0454CDD8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_045553C0 24_2_045553C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_045483CE 24_2_045483CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04554C55 24_2_04554C55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0454A05D 24_2_0454A05D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04550E49 24_2_04550E49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04546248 24_2_04546248
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04543C7E 24_2_04543C7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04559A7E 24_2_04559A7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0455B07B 24_2_0455B07B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04545A60 24_2_04545A60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0455346E 24_2_0455346E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0454EA68 24_2_0454EA68
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0455066A 24_2_0455066A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0455961A 24_2_0455961A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0454D405 24_2_0454D405
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04543A00 24_2_04543A00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04547E0C 24_2_04547E0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0455300F 24_2_0455300F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0454C232 24_2_0454C232
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04550820 24_2_04550820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04552422 24_2_04552422
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_045538D2 24_2_045538D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_045464D8 24_2_045464D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0454FEC2 24_2_0454FEC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0454F6E3 24_2_0454F6E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04552C97 24_2_04552C97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04542290 24_2_04542290
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0455229F 24_2_0455229F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04544685 24_2_04544685
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04547A87 24_2_04547A87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04557083 24_2_04557083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04553689 24_2_04553689
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0455A6B2 24_2_0455A6B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_045512A3 24_2_045512A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_045440AB 24_2_045440AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04559B59 24_2_04559B59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04547547 24_2_04547547
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04544F4C 24_2_04544F4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0454BD6C 24_2_0454BD6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0454F96A 24_2_0454F96A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04548F1B 24_2_04548F1B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0454F100 24_2_0454F100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0455030B 24_2_0455030B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04552938 24_2_04552938
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0454773B 24_2_0454773B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0454AB26 24_2_0454AB26
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04541D2B 24_2_04541D2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04545FD2 24_2_04545FD2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04559DC4 24_2_04559DC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_045583C9 24_2_045583C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_045519CB 24_2_045519CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0454BFF4 24_2_0454BFF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0454A7F1 24_2_0454A7F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_045469FD 24_2_045469FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_045413FB 24_2_045413FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_045417FB 24_2_045417FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_045549EF 24_2_045549EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04558FE8 24_2_04558FE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0454B394 24_2_0454B394
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0454DB9E 24_2_0454DB9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0454918D 24_2_0454918D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0454CBB1 24_2_0454CBB1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0454F3B2 24_2_0454F3B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_045443BC 24_2_045443BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04542FA7 24_2_04542FA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0455ABAE 24_2_0455ABAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0453405A 24_2_0453405A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0452945C 24_2_0452945C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0453024E 24_2_0453024E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0452564C 24_2_0452564C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0452564D 24_2_0452564D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04532873 24_2_04532873
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0453907B 24_2_0453907B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04524E65 24_2_04524E65
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0452FA6F 24_2_0452FA6F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0452DE6D 24_2_0452DE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04527211 24_2_04527211
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04532414 24_2_04532414
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04538A1F 24_2_04538A1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04525E02 24_2_04525E02
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04520C00 24_2_04520C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04522E05 24_2_04522E05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0452C80A 24_2_0452C80A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04524832 24_2_04524832
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0452B637 24_2_0452B637
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04531827 24_2_04531827
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0452FC25 24_2_0452FC25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04532CD7 24_2_04532CD7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_045258D6 24_2_045258D6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_045258DD 24_2_045258DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0452D6C3 24_2_0452D6C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0452F2C7 24_2_0452F2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_045274E8 24_2_045274E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0452EAE8 24_2_0452EAE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04521695 24_2_04521695
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0453209C 24_2_0453209C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04538E83 24_2_04538E83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04523083 24_2_04523083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0453A480 24_2_0453A480
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04523A8A 24_2_04523A8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04537A89 24_2_04537A89
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04536488 24_2_04536488
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04532A8E 24_2_04532A8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04526E8C 24_2_04526E8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_045234B0 24_2_045234B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04539AB7 24_2_04539AB7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_045316A4 24_2_045316A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_045306A8 24_2_045306A8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04524351 24_2_04524351
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04538F5E 24_2_04538F5E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04526B40 24_2_04526B40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0452694C 24_2_0452694C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0452B171 24_2_0452B171
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0452E176 24_2_0452E176
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0452F710 24_2_0452F710
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0452E505 24_2_0452E505
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0452710C 24_2_0452710C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04521130 24_2_04521130
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04521F30 24_2_04521F30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04531D3D 24_2_04531D3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04528320 24_2_04528320
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_045277D3 24_2_045277D3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_045253D7 24_2_045253D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_045237C1 24_2_045237C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_045391C9 24_2_045391C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_045377CE 24_2_045377CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04529BF6 24_2_04529BF6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04533DF4 24_2_04533DF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0452B3F9 24_2_0452B3F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_045383ED 24_2_045383ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0452A799 24_2_0452A799
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0452CB83 24_2_0452CB83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04533984 24_2_04533984
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_04539FB3 24_2_04539FB3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0452BFB6 24_2_0452BFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0452E7B7 24_2_0452E7B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0452CFA3 24_2_0452CFA3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_045223AC 24_2_045223AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045A9C76 25_2_045A9C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0459542D 25_2_0459542D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045980E3 25_2_045980E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0459E2BE 25_2_0459E2BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045A457F 25_2_045A457F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0459D77E 25_2_0459D77E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0459ED71 25_2_0459ED71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04597D07 25_2_04597D07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04592B2B 25_2_04592B2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0459CDD8 25_2_0459CDD8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045983CE 25_2_045983CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045A53C0 25_2_045A53C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0459A05D 25_2_0459A05D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045A4C55 25_2_045A4C55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04596248 25_2_04596248
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045A0E49 25_2_045A0E49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045AB07B 25_2_045AB07B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045A9A7E 25_2_045A9A7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04593C7E 25_2_04593C7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045A066A 25_2_045A066A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0459EA68 25_2_0459EA68
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045A346E 25_2_045A346E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04595A60 25_2_04595A60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045A961A 25_2_045A961A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045A300F 25_2_045A300F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04597E0C 25_2_04597E0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04593A00 25_2_04593A00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0459D405 25_2_0459D405
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0459C232 25_2_0459C232
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045A2422 25_2_045A2422
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045A0820 25_2_045A0820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045964D8 25_2_045964D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045A38D2 25_2_045A38D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0459FEC2 25_2_0459FEC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0459F6E3 25_2_0459F6E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045A229F 25_2_045A229F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04592290 25_2_04592290
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045A2C97 25_2_045A2C97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045A3689 25_2_045A3689
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045A7083 25_2_045A7083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04594685 25_2_04594685
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04597A87 25_2_04597A87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045A8684 25_2_045A8684
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045AA6B2 25_2_045AA6B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045940AB 25_2_045940AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045A12A3 25_2_045A12A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045A9B59 25_2_045A9B59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04594F4C 25_2_04594F4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04597547 25_2_04597547
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0459F96A 25_2_0459F96A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0459BD6C 25_2_0459BD6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04598F1B 25_2_04598F1B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045A030B 25_2_045A030B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0459F100 25_2_0459F100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0459773B 25_2_0459773B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045A2938 25_2_045A2938
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04591D2B 25_2_04591D2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0459AB26 25_2_0459AB26
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04595FD2 25_2_04595FD2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045A19CB 25_2_045A19CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045A83C9 25_2_045A83C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045A9DC4 25_2_045A9DC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045913FB 25_2_045913FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045917FB 25_2_045917FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045969FD 25_2_045969FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0459A7F1 25_2_0459A7F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0459BFF4 25_2_0459BFF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045A8FE8 25_2_045A8FE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045A49EF 25_2_045A49EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0459DB9E 25_2_0459DB9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0459B394 25_2_0459B394
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0459918D 25_2_0459918D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045943BC 25_2_045943BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0459CBB1 25_2_0459CBB1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0459F3B2 25_2_0459F3B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045AABAE 25_2_045AABAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04592FA7 25_2_04592FA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0458405A 25_2_0458405A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0457945C 25_2_0457945C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0458024E 25_2_0458024E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0457564D 25_2_0457564D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0457564C 25_2_0457564C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0458907B 25_2_0458907B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04582873 25_2_04582873
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04574E65 25_2_04574E65
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0457FA6F 25_2_0457FA6F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0457DE6D 25_2_0457DE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04577211 25_2_04577211
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04588A1F 25_2_04588A1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04582414 25_2_04582414
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04572E05 25_2_04572E05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04575E02 25_2_04575E02
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04570C00 25_2_04570C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0457C80A 25_2_0457C80A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0457B637 25_2_0457B637
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04574832 25_2_04574832
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0457FC25 25_2_0457FC25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04581827 25_2_04581827
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045758D6 25_2_045758D6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045758DD 25_2_045758DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04582CD7 25_2_04582CD7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0457F2C7 25_2_0457F2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0457D6C3 25_2_0457D6C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045774E8 25_2_045774E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0457EAE8 25_2_0457EAE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04571695 25_2_04571695
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0458209C 25_2_0458209C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04586488 25_2_04586488
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04587A89 25_2_04587A89
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04573083 25_2_04573083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04582A8E 25_2_04582A8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0458A480 25_2_0458A480
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04576E8C 25_2_04576E8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04588E83 25_2_04588E83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04573A8A 25_2_04573A8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045734B0 25_2_045734B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04589AB7 25_2_04589AB7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045806A8 25_2_045806A8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045816A4 25_2_045816A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04588F5E 25_2_04588F5E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04574351 25_2_04574351
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04576B40 25_2_04576B40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0457694C 25_2_0457694C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0457E176 25_2_0457E176
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0457B171 25_2_0457B171
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0457F710 25_2_0457F710
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0457E505 25_2_0457E505
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0457710C 25_2_0457710C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04581D3D 25_2_04581D3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04571130 25_2_04571130
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04571F30 25_2_04571F30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04578320 25_2_04578320
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045753D7 25_2_045753D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045777D3 25_2_045777D3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045891C9 25_2_045891C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045877CE 25_2_045877CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045737C1 25_2_045737C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04579BF6 25_2_04579BF6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04583DF4 25_2_04583DF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0457B3F9 25_2_0457B3F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045883ED 25_2_045883ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0457A799 25_2_0457A799
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0457CB83 25_2_0457CB83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04583984 25_2_04583984
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0457E7B7 25_2_0457E7B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0457BFB6 25_2_0457BFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_04589FB3 25_2_04589FB3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0457CFA3 25_2_0457CFA3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_045723AC 25_2_045723AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_04A3E2BE 26_2_04A3E2BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_04A380E3 26_2_04A380E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_04A3542D 26_2_04A3542D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_04A49C76 26_2_04A49C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_04A453C0 26_2_04A453C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_04A383CE 26_2_04A383CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_04A3CDD8 26_2_04A3CDD8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_04A32B2B 26_2_04A32B2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_04A37D07 26_2_04A37D07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_04A3ED71 26_2_04A3ED71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_04A4457F 26_2_04A4457F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_04A3D77E 26_2_04A3D77E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_04A412A3 26_2_04A412A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_04A340AB 26_2_04A340AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_04A4A6B2 26_2_04A4A6B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_04A48684 26_2_04A48684
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_04A37A87 26_2_04A37A87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_04A34685 26_2_04A34685
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_04A47083 26_2_04A47083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_04A43689 26_2_04A43689
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_04A42C97 26_2_04A42C97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_04A32290 26_2_04A32290
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_04A4229F 26_2_04A4229F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_04A3F6E3 26_2_04A3F6E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_04A3FEC2 26_2_04A3FEC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_04A438D2 26_2_04A438D2
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Windows\SysWOW64\Qfjc\jklaa.dll A9C68D527223DB40014D067CF4FDAE5BE46CCA67387E9CFDFF118276085F23EF
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 70337F00 appears 50 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1000BC28 appears 47 times
PE file contains strange resources
Source: jklaa.dll.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jklaa.dll.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jklaa.dll.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jklaa.dll.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Uses 32bit PE files
Source: v8iFmF7XPp.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: v8iFmF7XPp.dll Static PE information: Section: .rsrc ZLIB complexity 0.999393284574
Source: classification engine Classification label: mal96.troj.evad.winDLL@53/9@0/100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04414121 GetDiskFreeSpaceA, 3_2_04414121
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_70332180 Sleep,Module32NextW,GetCommandLineW,CommandLineToArgvW,lstrlenW,CryptStringToBinaryW,LocalFree,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,OpenProcess,QueryFullProcessImageNameW,CloseHandle, 21_2_70332180
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\UPDE009.tmp Jump to behavior
Source: v8iFmF7XPp.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\v8iFmF7XPp.dll,RunDLL
Source: v8iFmF7XPp.dll Virustotal: Detection: 79%
Source: v8iFmF7XPp.dll Metadefender: Detection: 50%
Source: v8iFmF7XPp.dll ReversingLabs: Detection: 88%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\v8iFmF7XPp.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\v8iFmF7XPp.dll',#1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\v8iFmF7XPp.dll,RunDLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\v8iFmF7XPp.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qfjc\jojcnj.tmq',RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\Qfjc\jklaa.dll',RunDLL 1AIAACAAAABRAGYAagBjAFwAagBvAGoAYwBuAGoALgB0AG0AcQAAAA==
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qfjc\jojcnj.tmq',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ctxuywd\wutukq.pfb',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vzwiovrtengiv\kqvcktqgbfib.iqj',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uxwmb\jkpj.zgu',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vtvnv\rgao.stw',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Tduzowfuyye\kwrnkagaoo.gjy',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Acjeqx\suoth.uea',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vsbshgerbjleuww\jcxjttitojfdgx.izj',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sxwlvdjt\gtruoro.fuy',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vvrwkvknxaabriyw\pmfojithdcmeryt.srg',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Niikduolbedqywld\lkcbagravqkrfqh.nmi',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zoyzltjfgemqhsmn\vnkfptckelbvwlk.boa',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Livoial\pcccws.vji',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Iazkdtsnhfgqyu\kqzarazxjjgtp.ohz',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qrtvgntlq\jkzevdis.pdj',Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\v8iFmF7XPp.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\v8iFmF7XPp.dll,RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\v8iFmF7XPp.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qfjc\jojcnj.tmq',RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\Qfjc\jklaa.dll',RunDLL 1AIAACAAAABRAGYAagBjAFwAagBvAGoAYwBuAGoALgB0AG0AcQAAAA== Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qfjc\jojcnj.tmq',Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ctxuywd\wutukq.pfb',Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vzwiovrtengiv\kqvcktqgbfib.iqj',Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uxwmb\jkpj.zgu',Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vtvnv\rgao.stw',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Tduzowfuyye\kwrnkagaoo.gjy',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Acjeqx\suoth.uea',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vsbshgerbjleuww\jcxjttitojfdgx.izj',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sxwlvdjt\gtruoro.fuy',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vvrwkvknxaabriyw\pmfojithdcmeryt.srg',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Niikduolbedqywld\lkcbagravqkrfqh.nmi',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zoyzltjfgemqhsmn\vnkfptckelbvwlk.boa',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Livoial\pcccws.vji',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Iazkdtsnhfgqyu\kqzarazxjjgtp.ohz',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qrtvgntlq\jkzevdis.pdj',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: v8iFmF7XPp.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: v8iFmF7XPp.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: v8iFmF7XPp.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: v8iFmF7XPp.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: v8iFmF7XPp.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10014D45 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 3_2_10014D45
PE file contains an invalid checksum
Source: v8iFmF7XPp.dll Static PE information: real checksum: 0x3e664 should be: 0x4bcc1
Source: jklaa.dll.5.dr Static PE information: real checksum: 0x0 should be: 0x744e9
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000BC6D push ecx; ret 3_2_1000BC80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000776A push ecx; ret 3_2_1000777D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_703378D6 push ecx; ret 21_2_703378E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_70337F46 push ecx; ret 21_2_70337F59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0452F1F7 push es; ret 24_2_0452F1F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0457F1F7 push es; ret 25_2_0457F1F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_04A1F1F7 push es; ret 26_2_04A1F1F8

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Qfjc\jklaa.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Qfjc\jklaa.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Qfjc\jojcnj.tmq:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Qfjc\jojcnj.tmq:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Ctxuywd\wutukq.pfb:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Vzwiovrtengiv\kqvcktqgbfib.iqj:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Uxwmb\jkpj.zgu:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Vtvnv\rgao.stw:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Tduzowfuyye\kwrnkagaoo.gjy:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Acjeqx\suoth.uea:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Vsbshgerbjleuww\jcxjttitojfdgx.izj:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Sxwlvdjt\gtruoro.fuy:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Vvrwkvknxaabriyw\pmfojithdcmeryt.srg:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Niikduolbedqywld\lkcbagravqkrfqh.nmi:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Zoyzltjfgemqhsmn\vnkfptckelbvwlk.boa:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Livoial\pcccws.vji:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Iazkdtsnhfgqyu\kqzarazxjjgtp.ohz:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Qrtvgntlq\jkzevdis.pdj:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Nclwmdrjta\qbpehozrnjd.aha:Zone.Identifier read attributes | delete
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_70336987 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 21_2_70336987
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\rundll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Windows\SysWOW64\rundll32.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_70332180 Sleep,Module32NextW,GetCommandLineW,CommandLineToArgvW,lstrlenW,CryptStringToBinaryW,LocalFree,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,OpenProcess,QueryFullProcessImageNameW,CloseHandle, 21_2_70332180
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 2224 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_70348C1D FindFirstFileExA, 21_2_70348C1D
Source: C:\Windows\SysWOW64\rundll32.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread delayed: delay time: 60000
Source: C:\Windows\SysWOW64\rundll32.exe Thread delayed: delay time: 60000
Source: C:\Windows\SysWOW64\rundll32.exe Thread delayed: delay time: 60000
Source: C:\Windows\SysWOW64\rundll32.exe Thread delayed: delay time: 60000
Source: svchost.exe, 00000002.00000002.207317479.000001FE66540000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.272166419.00000222F4140000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.465414461.0000021EBAB40000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.302595843.000001CFD3A80000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: rundll32.exe, 00000004.00000002.464600010.000000000296B000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000009.00000002.468019347.000002C419E63000.00000004.00000001.sdmp Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000009.00000002.462255057.000002C414629000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000B.00000002.461335122.000002268E202000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: rundll32.exe, 00000004.00000002.464600010.000000000296B000.00000004.00000020.sdmp Binary or memory string: d_VMware
Source: svchost.exe, 00000002.00000002.207317479.000001FE66540000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.272166419.00000222F4140000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.465414461.0000021EBAB40000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.302595843.000001CFD3A80000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000002.00000002.207317479.000001FE66540000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.272166419.00000222F4140000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.465414461.0000021EBAB40000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.302595843.000001CFD3A80000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 0000000B.00000002.461914068.000002268E228000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.462341811.0000021EB9E43000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.463098885.0000022FEC82A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000002.00000002.207317479.000001FE66540000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.272166419.00000222F4140000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.465414461.0000021EBAB40000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.302595843.000001CFD3A80000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10002260 RunDLL,LoadLibraryA,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWind 3_2_10002260
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100071DB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_100071DB
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_70332180 Sleep,Module32NextW,GetCommandLineW,CommandLineToArgvW,lstrlenW,CryptStringToBinaryW,LocalFree,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,OpenProcess,QueryFullProcessImageNameW,CloseHandle, 21_2_70332180
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10014D45 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 3_2_10014D45
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_044276B2 mov eax, dword ptr fs:[00000030h] 3_2_044276B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_050EF811 mov eax, dword ptr fs:[00000030h] 21_2_050EF811
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_7033ED6E mov eax, dword ptr fs:[00000030h] 21_2_7033ED6E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0454F811 mov eax, dword ptr fs:[00000030h] 24_2_0454F811
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0453C005 mov eax, dword ptr fs:[00000030h] 24_2_0453C005
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_0452EC16 mov eax, dword ptr fs:[00000030h] 24_2_0452EC16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0459F811 mov eax, dword ptr fs:[00000030h] 25_2_0459F811
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0458C005 mov eax, dword ptr fs:[00000030h] 25_2_0458C005
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 25_2_0457EC16 mov eax, dword ptr fs:[00000030h] 25_2_0457EC16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_04A3F811 mov eax, dword ptr fs:[00000030h] 26_2_04A3F811
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_04A2C005 mov eax, dword ptr fs:[00000030h] 26_2_04A2C005
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 26_2_04A1EC16 mov eax, dword ptr fs:[00000030h] 26_2_04A1EC16
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10004300 GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError, 3_2_10004300
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100071DB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_100071DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10008468 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_10008468
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10009F46 __NMSG_WRITE,_raise,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_10009F46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_70337A38 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 21_2_70337A38
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_70337D7E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 21_2_70337D7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_7033CF38 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 21_2_7033CF38

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 202.187.222.40 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 184.66.18.83 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 167.71.148.58 187 Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: Sleep,Module32NextW,GetCommandLineW,CommandLineToArgvW,lstrlenW,CryptStringToBinaryW,LocalFree,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,OpenProcess,QueryFullProcessImageNameW,CloseHandle, explorer.exe 21_2_70332180
Source: C:\Windows\SysWOW64\rundll32.exe Code function: Sleep,CreateToolhelp32Snapshot,GetLastError,Sleep,GetModuleFileNameW,PathFindFileNameW,Module32FirstW,Module32NextW,Module32NextW,FindCloseChangeNotification,Sleep,Module32NextW,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,OpenProcess,QueryFullProcessImageNameW,CloseHandle,__ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ,std::ios_base::_Ios_base_dtor, explorer.exe 21_2_70331CE0
Creates a process in suspended mode (likely to inject code)