Windows Analysis Report yFAXc9z51V

AV Detection:

Found malware configuration

Source: 12.2.rundll32.exe.33c6390.1.raw.unpack

Malware Configuration Extractor: Emotet {"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Multi AV Scanner detection for submitted file

Source: yFAXc9z51V.dll	Virustotal: Detection: 24%			Perma Link
Source: yFAXc9z51V.dll	ReversingLabs: Detection: 22%

Compliance:

Uses 32bit PE files

Source: yFAXc9z51V.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.3:49748 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: yFAXc9z51V.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 19_2_04051A80 FindFirstFileW,

19_2_04051A80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.3:49748 -> 51.178.61.60:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 51.178.61.60 187

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 51.178.61.60:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 45.79.33.48:8080
Source: Malware configuration extractor	IPs: 196.44.98.190:8080
Source: Malware configuration extractor	IPs: 177.72.80.14:7080
Source: Malware configuration extractor	IPs: 51.210.242.234:8080
Source: Malware configuration extractor	IPs: 185.148.169.10:8080
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 195.154.146.35:443

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: EcobandGH EcobandGH

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /RUMPKfyWvwh HTTP/1.1Cookie: gVql=qP2SWVnr/WJG8YP5xSF8G7Rr6KkEKH5oVbT/aPyZcyn9K/saApq06qYJQ7VQDqAGQmsog3CqnGHN9x0QykU5uuVnobYs31akiF1WnncdqfGM3pGgWKZ2r4ogC9SE6Vh2+mnqzNK2/WuhSLvfpxzgrn3BeUCBI3LUqJXa1TfC4xBhYwdQa/6a5jixa5pMiqaToa/047TTwtpTt5xgOLwssCVW5YzKACeEqQfp8YgGPHadd14J0SJTGVNqyFCbrXXoDBPSb3GwjcRynh1BJ5z3u6jM5aWKTd6XgU1rwPi8sKMzrSyB1Zu0v5YluHWstRSulPtNogkEJBlOu+qxuLWX18w=Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View	IP Address: 196.44.98.190 196.44.98.190

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60

URLs found in memory or binary data

Source: svchost.exe, 0000001F.00000002.574460997.000001D780700000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000001F.00000002.574914431.000001D7FFEEA000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000001F.00000003.554303940.000001D7807C0000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554360277.000001D78076E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554282780.000001D78077F000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 0000000A.00000002.387177184.00000227B4E13000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000002.00000002.807728407.000001BFDBA45000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000002.00000002.807728407.000001BFDBA45000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000002.00000002.807728407.000001BFDBA45000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000A.00000003.381787583.00000227B4E62000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000002.00000002.807596478.000001BFDBA2A000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000002.00000002.807596478.000001BFDBA2A000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000A.00000003.381792789.00000227B4E5D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000002.387337685.00000227B4E59000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000A.00000003.381787583.00000227B4E62000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000A.00000002.387371903.00000227B4E65000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000002.387337685.00000227B4E59000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000A.00000003.381787583.00000227B4E62000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000003.381842059.00000227B4E45000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000A.00000002.387337685.00000227B4E59000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000A.00000003.381824890.00000227B4E2C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000003.381787583.00000227B4E62000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000A.00000003.381787583.00000227B4E62000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000A.00000003.381787583.00000227B4E62000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000A.00000003.337166939.00000227B4E34000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000A.00000003.381792789.00000227B4E5D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000A.00000002.387218304.00000227B4E29000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000A.00000003.381787583.00000227B4E62000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000003.381810222.00000227B4E41000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000A.00000003.337166939.00000227B4E34000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
Source: svchost.exe, 0000001F.00000003.554303940.000001D7807C0000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554360277.000001D78076E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554282780.000001D78077F000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000A.00000003.381792789.00000227B4E5D000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000002.387337685.00000227B4E59000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000002.387337685.00000227B4E59000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000002.387371903.00000227B4E65000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.381806871.00000227B4E56000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000A.00000003.381787583.00000227B4E62000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000A.00000003.381824890.00000227B4E2C000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000003.337166939.00000227B4E34000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000A.00000002.387288308.00000227B4E40000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000A.00000003.381824890.00000227B4E2C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000003.337166939.00000227B4E34000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000003.337166939.00000227B4E34000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000003.337166939.00000227B4E34000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000A.00000003.337166939.00000227B4E34000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000A.00000003.381842059.00000227B4E45000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 0000001F.00000003.554303940.000001D7807C0000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554360277.000001D78076E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554282780.000001D78077F000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001F.00000003.554303940.000001D7807C0000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554360277.000001D78076E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554282780.000001D78077F000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001F.00000003.555460068.000001D7807A8000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.555448598.000001D780787000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Contains functionality to download additional files from the internet

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 19_2_04061027 InternetReadFile,

19_2_04061027

Downloads files from webservers via HTTP

Source: global traffic

HTTP traffic detected: GET /RUMPKfyWvwh HTTP/1.1Cookie: gVql=qP2SWVnr/WJG8YP5xSF8G7Rr6KkEKH5oVbT/aPyZcyn9K/saApq06qYJQ7VQDqAGQmsog3CqnGHN9x0QykU5uuVnobYs31akiF1WnncdqfGM3pGgWKZ2r4ogC9SE6Vh2+mnqzNK2/WuhSLvfpxzgrn3BeUCBI3LUqJXa1TfC4xBhYwdQa/6a5jixa5pMiqaToa/047TTwtpTt5xgOLwssCVW5YzKACeEqQfp8YgGPHadd14J0SJTGVNqyFCbrXXoDBPSb3GwjcRynh1BJ5z3u6jM5aWKTd6XgU1rwPi8sKMzrSyB1Zu0v5YluHWstRSulPtNogkEJBlOu+qxuLWX18w=Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.3:49748 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6EA75EE0 GetClipboardViewer,GetClipboardViewer,GetSystemDefaultLangID,GetOpenClipboardWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetCurrentThread,GetForegroundWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,AnyPopup,GetUserDefaultUILanguage,GetUserDefaultUILanguage,GetCurrentThread,GetCurrentThread,GetErrorMode,GetErrorMode,GetThreadErrorMode,

4_2_6EA75EE0

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 5.2.rundll32.exe.2b14358.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.28d41f8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2ad5298.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2974250.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2b14358.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.28d41f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.33c6390.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2974250.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2ad5298.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.33c6390.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.388952908.000000000295A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.414340731.00000000033AA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.390623075.00000000028BA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.363481536.0000000002AFA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.390502900.000000000097D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.365418732.0000000002ABA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.808384988.00000000026E7000.00000004.00000020.sdmp, type: MEMORY

System Summary:

Uses 32bit PE files

Source: yFAXc9z51V.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Wlimfwutowthen\gdntcqg.ebr:Zone.Identifier

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Wlimfwutowthen\

Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6CAA8		1_2_00C6CAA8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5441E		1_2_00C5441E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C643B3		1_2_00C643B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6BEC9		1_2_00C6BEC9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6CCD4		1_2_00C6CCD4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C708D1		1_2_00C708D1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C67ED1		1_2_00C67ED1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C60ADE		1_2_00C60ADE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6ECE3		1_2_00C6ECE3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6AEEB		1_2_00C6AEEB
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6DEF4		1_2_00C6DEF4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C530F6		1_2_00C530F6
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C70687		1_2_00C70687
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C57283		1_2_00C57283
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5CC8D		1_2_00C5CC8D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C64E8A		1_2_00C64E8A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6748A		1_2_00C6748A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5AC95		1_2_00C5AC95
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C53C91		1_2_00C53C91
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6D091		1_2_00C6D091
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6AC9B		1_2_00C6AC9B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6D6A7		1_2_00C6D6A7
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C678A5		1_2_00C678A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5FEA0		1_2_00C5FEA0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C644AA		1_2_00C644AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C55AB2		1_2_00C55AB2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C698BD		1_2_00C698BD
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C690BA		1_2_00C690BA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C53845		1_2_00C53845
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C52A46		1_2_00C52A46
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C52043		1_2_00C52043
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6E441		1_2_00C6E441
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5A048		1_2_00C5A048
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C52654		1_2_00C52654
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C59A57		1_2_00C59A57
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6406E		1_2_00C6406E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C51C76		1_2_00C51C76
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C54C00		1_2_00C54C00
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C58C09		1_2_00C58C09
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C51A0A		1_2_00C51A0A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5220A		1_2_00C5220A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C61C10		1_2_00C61C10
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5E21C		1_2_00C5E21C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5F41F		1_2_00C5F41F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5EC27		1_2_00C5EC27
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C65220		1_2_00C65220
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5D223		1_2_00C5D223
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C59E22		1_2_00C59E22
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6F83F		1_2_00C6F83F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C71A3C		1_2_00C71A3C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C56FC4		1_2_00C56FC4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C725C3		1_2_00C725C3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5A3DF		1_2_00C5A3DF
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6BFE8		1_2_00C6BFE8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C703F1		1_2_00C703F1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5C5FE		1_2_00C5C5FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C59384		1_2_00C59384
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5758F		1_2_00C5758F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C64D8D		1_2_00C64D8D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C54F8E		1_2_00C54F8E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6B397		1_2_00C6B397
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5FD91		1_2_00C5FD91
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C71193		1_2_00C71193
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6D99A		1_2_00C6D99A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C62FA2		1_2_00C62FA2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C69DA1		1_2_00C69DA1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C64BAA		1_2_00C64BAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6B1B5		1_2_00C6B1B5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5BFB6		1_2_00C5BFB6
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C67BB2		1_2_00C67BB2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C53345		1_2_00C53345
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C71343		1_2_00C71343
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6F14D		1_2_00C6F14D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C53F5C		1_2_00C53F5C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5C158		1_2_00C5C158
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6056A		1_2_00C6056A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C61F6B		1_2_00C61F6B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6577E		1_2_00C6577E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C53502		1_2_00C53502
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C52309		1_2_00C52309
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6FD10		1_2_00C6FD10
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5251C		1_2_00C5251C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C56B25		1_2_00C56B25
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C55923		1_2_00C55923
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C7292B		1_2_00C7292B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C70B34		1_2_00C70B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D608D1		4_2_02D608D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5DEF4		4_2_02D5DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5ECE3		4_2_02D5ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5AEEB		4_2_02D5AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D590BA		4_2_02D590BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5CAA8		4_2_02D5CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D43845		4_2_02D43845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D42A46		4_2_02D42A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D42043		4_2_02D42043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4441E		4_2_02D4441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4F41F		4_2_02D4F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D44C00		4_2_02D44C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5D99A		4_2_02D5D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D49384		4_2_02D49384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D57BB2		4_2_02D57BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5056A		4_2_02D5056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5CCD4		4_2_02D5CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D57ED1		4_2_02D57ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D50ADE		4_2_02D50ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5BEC9		4_2_02D5BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D430F6		4_2_02D430F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5A8F0		4_2_02D5A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4AC95		4_2_02D4AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5D091		4_2_02D5D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D43C91		4_2_02D43C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5AC9B		4_2_02D5AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D60687		4_2_02D60687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D47283		4_2_02D47283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4CC8D		4_2_02D4CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D54E8A		4_2_02D54E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5748A		4_2_02D5748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D45AB2		4_2_02D45AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D598BD		4_2_02D598BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D578A5		4_2_02D578A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5D6A7		4_2_02D5D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4FEA0		4_2_02D4FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4DAAE		4_2_02D4DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D544AA		4_2_02D544AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D42654		4_2_02D42654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D49A57		4_2_02D49A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5E441		4_2_02D5E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4A048		4_2_02D4A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D41C76		4_2_02D41C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5406E		4_2_02D5406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D51C10		4_2_02D51C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4E21C		4_2_02D4E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D48C09		4_2_02D48C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D41A0A		4_2_02D41A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4220A		4_2_02D4220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5F83F		4_2_02D5F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D61A3C		4_2_02D61A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4EC27		4_2_02D4EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D55220		4_2_02D55220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D49E22		4_2_02D49E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4D223		4_2_02D4D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4A3DF		4_2_02D4A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D46FC4		4_2_02D46FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D625C3		4_2_02D625C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D603F1		4_2_02D603F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4C5FE		4_2_02D4C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D455E8		4_2_02D455E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5BFE8		4_2_02D5BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5B397		4_2_02D5B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4FD91		4_2_02D4FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D61193		4_2_02D61193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D54D8D		4_2_02D54D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D44F8E		4_2_02D44F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4758F		4_2_02D4758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5B1B5		4_2_02D5B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4BFB6		4_2_02D4BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D543B3		4_2_02D543B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D59DA1		4_2_02D59DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D52FA2		4_2_02D52FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D54BAA		4_2_02D54BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D43F5C		4_2_02D43F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4C158		4_2_02D4C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D43345		4_2_02D43345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D61343		4_2_02D61343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5F14D		4_2_02D5F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5577E		4_2_02D5577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D51F6B		4_2_02D51F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5FD10		4_2_02D5FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4251C		4_2_02D4251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D43502		4_2_02D43502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D42309		4_2_02D42309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D60B34		4_2_02D60B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D46B25		4_2_02D46B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D45923		4_2_02D45923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D6292B		4_2_02D6292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA76620		4_2_6EA76620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA75730		4_2_6EA75730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA75EE0		4_2_6EA75EE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA9C6FE		4_2_6EA9C6FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA93780		4_2_6EA93780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA7F700		4_2_6EA7F700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA81CD0		4_2_6EA81CD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA8DC5D		4_2_6EA8DC5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA72A80		4_2_6EA72A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA8A29D		4_2_6EA8A29D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA8DA2D		4_2_6EA8DA2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EAA3074		4_2_6EAA3074
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4CAA8		5_2_02C4CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3441E		5_2_02C3441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C443B3		5_2_02C443B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4BEC9		5_2_02C4BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4CCD4		5_2_02C4CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C508D1		5_2_02C508D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C47ED1		5_2_02C47ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C40ADE		5_2_02C40ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4ECE3		5_2_02C4ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4AEEB		5_2_02C4AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4DEF4		5_2_02C4DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C330F6		5_2_02C330F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C37283		5_2_02C37283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C50687		5_2_02C50687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C44E8A		5_2_02C44E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4748A		5_2_02C4748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3CC8D		5_2_02C3CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C33C91		5_2_02C33C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4D091		5_2_02C4D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3AC95		5_2_02C3AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4AC9B		5_2_02C4AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C478A5		5_2_02C478A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3FEA0		5_2_02C3FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4D6A7		5_2_02C4D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C444AA		5_2_02C444AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C35AB2		5_2_02C35AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C498BD		5_2_02C498BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C490BA		5_2_02C490BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C32043		5_2_02C32043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C32A46		5_2_02C32A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4E441		5_2_02C4E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C33845		5_2_02C33845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3A048		5_2_02C3A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C39A57		5_2_02C39A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C32654		5_2_02C32654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4406E		5_2_02C4406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C31C76		5_2_02C31C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C34C00		5_2_02C34C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C31A0A		5_2_02C31A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3220A		5_2_02C3220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C38C09		5_2_02C38C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C41C10		5_2_02C41C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3F41F		5_2_02C3F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3E21C		5_2_02C3E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3D223		5_2_02C3D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C39E22		5_2_02C39E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C45220		5_2_02C45220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3EC27		5_2_02C3EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C51A3C		5_2_02C51A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4F83F		5_2_02C4F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C525C3		5_2_02C525C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C36FC4		5_2_02C36FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3A3DF		5_2_02C3A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4BFE8		5_2_02C4BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C503F1		5_2_02C503F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3C5FE		5_2_02C3C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C39384		5_2_02C39384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C44D8D		5_2_02C44D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3758F		5_2_02C3758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C34F8E		5_2_02C34F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3FD91		5_2_02C3FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4B397		5_2_02C4B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C51193		5_2_02C51193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4D99A		5_2_02C4D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C49DA1		5_2_02C49DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C42FA2		5_2_02C42FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C44BAA		5_2_02C44BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4B1B5		5_2_02C4B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3BFB6		5_2_02C3BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C47BB2		5_2_02C47BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C33345		5_2_02C33345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C51343		5_2_02C51343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4F14D		5_2_02C4F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3C158		5_2_02C3C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C33F5C		5_2_02C33F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4056A		5_2_02C4056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C41F6B		5_2_02C41F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4577E		5_2_02C4577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C33502		5_2_02C33502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C32309		5_2_02C32309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4FD10		5_2_02C4FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3251C		5_2_02C3251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C35923		5_2_02C35923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C36B25		5_2_02C36B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C5292B		5_2_02C5292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C50B34		5_2_02C50B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422441E		8_2_0422441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423CAA8		8_2_0423CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_042343B3		8_2_042343B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04229E22		8_2_04229E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422D223		8_2_0422D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04235220		8_2_04235220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422EC27		8_2_0422EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04241A3C		8_2_04241A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423F83F		8_2_0423F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04224C00		8_2_04224C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04221A0A		8_2_04221A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422220A		8_2_0422220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04228C09		8_2_04228C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04231C10		8_2_04231C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422F41F		8_2_0422F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422E21C		8_2_0422E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423406E		8_2_0423406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04221C76		8_2_04221C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04222043		8_2_04222043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423E441		8_2_0423E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04222A46		8_2_04222A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04223845		8_2_04223845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422A048		8_2_0422A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04229A57		8_2_04229A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04222654		8_2_04222654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422FEA0		8_2_0422FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423D6A7		8_2_0423D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_042378A5		8_2_042378A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_042344AA		8_2_042344AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04225AB2		8_2_04225AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_042390BA		8_2_042390BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_042398BD		8_2_042398BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04227283		8_2_04227283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04240687		8_2_04240687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04234E8A		8_2_04234E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423748A		8_2_0423748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422CC8D		8_2_0422CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423D091		8_2_0423D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04223C91		8_2_04223C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422AC95		8_2_0422AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423AC9B		8_2_0423AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423ECE3		8_2_0423ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423AEEB		8_2_0423AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_042230F6		8_2_042230F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423DEF4		8_2_0423DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423BEC9		8_2_0423BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04237ED1		8_2_04237ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_042408D1		8_2_042408D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423CCD4		8_2_0423CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04230ADE		8_2_04230ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04225923		8_2_04225923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04226B25		8_2_04226B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0424292B		8_2_0424292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04240B34		8_2_04240B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04223502		8_2_04223502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04222309		8_2_04222309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423FD10		8_2_0423FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422251C		8_2_0422251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04231F6B		8_2_04231F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423056A		8_2_0423056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423577E		8_2_0423577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04223345		8_2_04223345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04241343		8_2_04241343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423F14D		8_2_0423F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422C158		8_2_0422C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04223F5C		8_2_04223F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04232FA2		8_2_04232FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04239DA1		8_2_04239DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04234BAA		8_2_04234BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04237BB2		8_2_04237BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422BFB6		8_2_0422BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423B1B5		8_2_0423B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04229384		8_2_04229384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04224F8E		8_2_04224F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422758F		8_2_0422758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04234D8D		8_2_04234D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422FD91		8_2_0422FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423B397		8_2_0423B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04241193		8_2_04241193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423D99A		8_2_0423D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423BFE8		8_2_0423BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_042403F1		8_2_042403F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422C5FE		8_2_0422C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04226FC4		8_2_04226FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_042425C3		8_2_042425C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422A3DF		8_2_0422A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404220A		19_2_0404220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404441E		19_2_0404441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404EC27		19_2_0404EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04055220		19_2_04055220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405F83F		19_2_0405F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04043845		19_2_04043845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04042043		19_2_04042043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405748A		19_2_0405748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404AC95		19_2_0404AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_040578A5		19_2_040578A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_040544AA		19_2_040544AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04045AB2		19_2_04045AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04057ED1		19_2_04057ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_040608D1		19_2_040608D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405ECE3		19_2_0405ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405DEF4		19_2_0405DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_040430F6		19_2_040430F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04060B34		19_2_04060B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04049384		19_2_04049384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404758F		19_2_0404758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04052FA2		19_2_04052FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04054BAA		19_2_04054BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_040455E8		19_2_040455E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404C5FE		19_2_0404C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04044C00		19_2_04044C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04048C09		19_2_04048C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04041A0A		19_2_04041A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04051C10		19_2_04051C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404E21C		19_2_0404E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404F41F		19_2_0404F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04049E22		19_2_04049E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404D223		19_2_0404D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04061A3C		19_2_04061A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04042A46		19_2_04042A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405E441		19_2_0405E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404A048		19_2_0404A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04042654		19_2_04042654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04049A57		19_2_04049A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405406E		19_2_0405406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04041C76		19_2_04041C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04060687		19_2_04060687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04047283		19_2_04047283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404CC8D		19_2_0404CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04054E8A		19_2_04054E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405D091		19_2_0405D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04043C91		19_2_04043C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405AC9B		19_2_0405AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405D6A7		19_2_0405D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404FEA0		19_2_0404FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404DAAE		19_2_0404DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405CAA8		19_2_0405CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_040598BD		19_2_040598BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_040590BA		19_2_040590BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405BEC9		19_2_0405BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405CCD4		19_2_0405CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04050ADE		19_2_04050ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405AEEB		19_2_0405AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405A8F0		19_2_0405A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04043502		19_2_04043502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04042309		19_2_04042309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405FD10		19_2_0405FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404251C		19_2_0404251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04046B25		19_2_04046B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04045923		19_2_04045923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0406292B		19_2_0406292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04043345		19_2_04043345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04061343		19_2_04061343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405F14D		19_2_0405F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04043F5C		19_2_04043F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404C158		19_2_0404C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04051F6B		19_2_04051F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405056A		19_2_0405056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405577E		19_2_0405577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04054D8D		19_2_04054D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04044F8E		19_2_04044F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405B397		19_2_0405B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404FD91		19_2_0404FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04061193		19_2_04061193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405D99A		19_2_0405D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04059DA1		19_2_04059DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405B1B5		19_2_0405B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404BFB6		19_2_0404BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_040543B3		19_2_040543B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04057BB2		19_2_04057BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04046FC4		19_2_04046FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_040625C3		19_2_040625C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404A3DF		19_2_0404A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405BFE8		19_2_0405BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_040603F1		19_2_040603F1

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 6EA85BE0 appears 40 times

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6EA713F0 zwxnlwalmcbgmt,

4_2_6EA713F0

Sample file is different than original file name gathered from version info

Source: yFAXc9z51V.dll

Binary or memory string: OriginalFilenameErulfuaekg.dll6 vs yFAXc9z51V.dll

Tries to load missing DLLs

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Sample is known by Antivirus

Source: yFAXc9z51V.dll	Virustotal: Detection: 24%
Source: yFAXc9z51V.dll	ReversingLabs: Detection: 22%

PE file has an executable .text section and no other executable section

Source: yFAXc9z51V.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll"
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\yFAXc9z51V.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",#1
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\yFAXc9z51V.dll,abziuleoxsborpb
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\yFAXc9z51V.dll,aejkroaebsbxdnkhb
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wlimfwutowthen\gdntcqg.ebr",vQmrKt
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Wlimfwutowthen\gdntcqg.ebr",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\yFAXc9z51V.dll,Control_RunDLL			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\yFAXc9z51V.dll,abziuleoxsborpb			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\yFAXc9z51V.dll,aejkroaebsbxdnkhb			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",#1			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wlimfwutowthen\gdntcqg.ebr",vQmrKt			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Wlimfwutowthen\gdntcqg.ebr",Control_RunDLL			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Creates files inside the user directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winDLL@37/8@0/20

Contains functionality to instantiate COM classes

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6EA83C90 CoCreateInstance,

4_2_6EA83C90

Reads ini files

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Contains functionality to enum processes or threads

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 19_2_04051B54 CreateToolhelp32Snapshot,

19_2_04051B54

Runs a DLL by calling functions

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\yFAXc9z51V.dll,Control_RunDLL

Creates mutexes

Source: C:\Windows\System32\conhost.exe

Mutant created: \BaseNamedObjects\Local\SM0:3928:120:WilError_01

Contains functionality to load and extract PE file embedded resources

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6EA7EBD0 LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

4_2_6EA7EBD0

Reads the hosts file

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Found GUI installer (many successful clicks)

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: yFAXc9z51V.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

PE file contains a valid data directory to section mapping

Source: yFAXc9z51V.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: yFAXc9z51V.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: yFAXc9z51V.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: yFAXc9z51V.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: yFAXc9z51V.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C51229 push eax; retf		1_2_00C5129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D41229 push eax; retf		4_2_02D4129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA85C26 push ecx; ret		4_2_6EA85C39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EAA8067 push ecx; ret		4_2_6EAA807A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C31229 push eax; retf		5_2_02C3129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04221229 push eax; retf		8_2_0422129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04041229 push eax; retf		19_2_0404129A

PE file contains an invalid checksum

Source: yFAXc9z51V.dll

Static PE information: real checksum: 0x81586 should be: 0x823cc

Persistence and Installation Behavior:

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Wlimfwutowthen\gdntcqg.ebr

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Wlimfwutowthen\gdntcqg.ebr:Zone.Identifier read attributes | delete

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006EA76672 second address: 000000006EA766A0 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007F0DD8C6D1B1h 0x0000000a mov edi, 0C2869DAh 0x0000000f rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006EA78A23 second address: 000000006EA78A36 instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007F0DD8C41D7Eh 0x00000007 rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006EA76672 second address: 000000006EA766A0 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007F0DD8C6D1B1h 0x0000000a mov edi, 0C2869DAh 0x0000000f rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006EA78A23 second address: 000000006EA78A36 instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007F0DD8C41D7Eh 0x00000007 rdtscp

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 2528

Thread sleep time: -150000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6EA76620 rdtscp

4_2_6EA76620

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 19_2_04051A80 FindFirstFileW,

19_2_04051A80

Checks the free space of harddrives

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: svchost.exe, 00000000.00000002.807188737.000001FDAB602000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 0000001F.00000002.574914431.000001D7FFEEA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000001F.00000002.574914431.000001D7FFEEA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWS Platform Interface
Source: svchost.exe, 00000000.00000002.807319272.000001FDAB628000.00000004.00000001.sdmp, svchost.exe, 00000002.00000002.807831895.000001BFDBA68000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.807600872.0000024C81E29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6EA8ED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_6EA8ED41

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6EA8849D IsProcessorFeaturePresent,GetProcessHeap,HeapAlloc,InitializeSListHead,GetProcessHeap,HeapFree,

4_2_6EA8849D

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6EA76620 rdtscp

4_2_6EA76620

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6DE10 mov eax, dword ptr fs:[00000030h]		1_2_00C6DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5DE10 mov eax, dword ptr fs:[00000030h]		4_2_02D5DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA76620 mov ecx, dword ptr fs:[00000030h]		4_2_6EA76620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA8849D mov esi, dword ptr fs:[00000030h]		4_2_6EA8849D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA76510 mov eax, dword ptr fs:[00000030h]		4_2_6EA76510
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA78A50 mov eax, dword ptr fs:[00000030h]		4_2_6EA78A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA969AA mov eax, dword ptr fs:[00000030h]		4_2_6EA969AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4DE10 mov eax, dword ptr fs:[00000030h]		5_2_02C4DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423DE10 mov eax, dword ptr fs:[00000030h]		8_2_0423DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405DE10 mov eax, dword ptr fs:[00000030h]		19_2_0405DE10

Contains functionality to register its own exception handler

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA8ED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		4_2_6EA8ED41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA85ABD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		4_2_6EA85ABD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA85239 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		4_2_6EA85239

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 51.178.61.60 187

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",#1

Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: svchost.exe, 00000007.00000002.807952025.000001FF87860000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000002.809503666.0000000002C30000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: svchost.exe, 00000007.00000002.807952025.000001FF87860000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000002.809503666.0000000002C30000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: svchost.exe, 00000007.00000002.807952025.000001FF87860000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000002.809503666.0000000002C30000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: svchost.exe, 00000007.00000002.807952025.000001FF87860000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000002.809503666.0000000002C30000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\rundll32.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,		4_2_6EAA57AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		4_2_6EAA5F10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		4_2_6EA9DD93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		4_2_6EAA5DE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		4_2_6EA9E2F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		4_2_6EAA5A24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		4_2_6EAA5A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,		4_2_6EAA5B97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		4_2_6EAA5B0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		4_2_6EAA60E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		4_2_6EAA6017
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		4_2_6EAA597B

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6EA85916 cpuid

4_2_6EA85916

Queries the cryptographic machine GUID

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Contains functionality to query local / system time

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6EA85C3C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_6EA85C3C

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 00000011.00000002.807785872.000001D93E102000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000011.00000002.807633669.000001D93E040000.00000004.00000001.sdmp	Binary or memory string: $@V%ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 5.2.rundll32.exe.2b14358.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.28d41f8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2ad5298.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2974250.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2b14358.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.28d41f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.33c6390.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2974250.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2ad5298.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.33c6390.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.388952908.000000000295A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.414340731.00000000033AA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.390623075.00000000028BA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.363481536.0000000002AFA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.390502900.000000000097D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.365418732.0000000002ABA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.808384988.00000000026E7000.00000004.00000020.sdmp, type: MEMORY