Windows Analysis Report 5YO8hZg21O

AV Detection:

Found malware configuration

Source: 1.2.loaddll32.exe.b8b540.0.raw.unpack

Malware Configuration Extractor: Emotet {"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Multi AV Scanner detection for submitted file

Source: 5YO8hZg21O.dll

Virustotal: Detection: 21%

Perma Link

Multi AV Scanner detection for domain / URL

Source: https://51.178.61.60/

Virustotal: Detection: 9%

Perma Link

Compliance:

Uses 32bit PE files

Source: 5YO8hZg21O.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.6:49744 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 5YO8hZg21O.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F1AD1EE FindFirstFileExA,		1_2_6F1AD1EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F1AD1EE FindFirstFileExA,		3_2_6F1AD1EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA1A80 FindFirstFileW,		16_2_00EA1A80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.6:49744 -> 51.178.61.60:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 51.178.61.60 187

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 51.178.61.60:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 45.79.33.48:8080
Source: Malware configuration extractor	IPs: 196.44.98.190:8080
Source: Malware configuration extractor	IPs: 177.72.80.14:7080
Source: Malware configuration extractor	IPs: 51.210.242.234:8080
Source: Malware configuration extractor	IPs: 185.148.169.10:8080
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 195.154.146.35:443

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: EcobandGH EcobandGH

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /GQAhghQYtMriyhSsHMSeUCAGKsKrpTqI HTTP/1.1Cookie: BVq=wHBtME3BTvrsq6ERaxvqV74K175PcHA24bIWLDvPLoS1yKbr56Te7Vwjn8yCzOb5uzKJ+NM/RhoV/mJ/gEOd2piZqQlfbkOPLRNqvIQh34bv6jYQ4eiZWAF5phOpnxaIL7NaJmqh2Rh3BnY6Al2CP1ZA3YwrRE+JwhxIfOAtxkeWKcmFs+sB1vzHELNH5hCfiAG33DpQULpyZwsTzH1N2WMTRxF8XKCrAEZVjYtSxpcgZyxbIS111PWiNLscb+HuEFGnWkXsxMJgHhIGJCK0WJlO7KRDP6W4uiWwbI3Rqiedq147jj+TLE3bLUWRJYyiP8n0GEM=Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View	IP Address: 196.44.98.190 196.44.98.190

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60

Found strings which match to known social media urls

Source: svchost.exe, 0000001B.00000003.735530689.000001D765D6C000.00000004.00000001.sdmp

String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z||.||2bbf585d-742f-4e5f-bf99-34064e28fbbf||1152921505694183347||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"

Source: svchost.exe, 0000001B.00000003.735530689.000001D765D6C000.00000004.00000001.sdmp

String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z||.||2bbf585d-742f-4e5f-bf99-34064e28fbbf||1152921505694183347||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"

URLs found in memory or binary data

Source: rundll32.exe, 00000010.00000003.534280239.0000000003193000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.862885542.000001B689888000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.753661447.000001D765D00000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000011.00000002.862795195.000001B689815000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.753661447.000001D765D00000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000001B.00000002.753863397.000001D765D6C000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: rundll32.exe, 00000010.00000002.869671653.000000000314A000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/
Source: rundll32.exe, 00000010.00000002.869671653.000000000314A000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/.Tw
Source: rundll32.exe, 00000010.00000002.869693856.0000000003173000.00000004.00000001.sdmp	String found in binary or memory: https://51.178.61.60/GQAhghQYtMriyhSsHMSeUCAGKsKrpTqI
Source: rundll32.exe, 00000010.00000002.869632887.00000000030FA000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/GQAhghQYtMriyhSsHMSeUCAGKsKrpTqIT
Source: rundll32.exe, 00000010.00000002.869693856.0000000003173000.00000004.00000001.sdmp	String found in binary or memory: https://51.178.61.60/GQAhghQYtMriyhSsHMSeUCAGKsKrpTqITg3
Source: svchost.exe, 0000001B.00000002.753863397.000001D765D6C000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000001B.00000003.740353956.000001D766202000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.740249361.000001D765D98000.00000004.00000001.sdmp	String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 0000001B.00000002.753863397.000001D765D6C000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001B.00000002.753863397.000001D765D6C000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001B.00000003.740353956.000001D766202000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.740249361.000001D765D98000.00000004.00000001.sdmp	String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 0000001B.00000003.740353956.000001D766202000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.740249361.000001D765D98000.00000004.00000001.sdmp	String found in binary or memory: https://www.pango.co/privacy

Contains functionality to download additional files from the internet

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 16_2_00EB1027 InternetReadFile,

16_2_00EB1027

Downloads files from webservers via HTTP

Source: global traffic

HTTP traffic detected: GET /GQAhghQYtMriyhSsHMSeUCAGKsKrpTqI HTTP/1.1Cookie: BVq=wHBtME3BTvrsq6ERaxvqV74K175PcHA24bIWLDvPLoS1yKbr56Te7Vwjn8yCzOb5uzKJ+NM/RhoV/mJ/gEOd2piZqQlfbkOPLRNqvIQh34bv6jYQ4eiZWAF5phOpnxaIL7NaJmqh2Rh3BnY6Al2CP1ZA3YwrRE+JwhxIfOAtxkeWKcmFs+sB1vzHELNH5hCfiAG33DpQULpyZwsTzH1N2WMTRxF8XKCrAEZVjYtSxpcgZyxbIS111PWiNLscb+HuEFGnWkXsxMJgHhIGJCK0WJlO7KRDP6W4uiWwbI3Rqiedq147jj+TLE3bLUWRJYyiP8n0GEM=Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.6:49744 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6F185EE0 GetClipboardViewer,GetClipboardViewer,GetSystemDefaultLangID,GetOpenClipboardWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetCurrentThread,GetForegroundWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,AnyPopup,GetUserDefaultUILanguage,GetUserDefaultUILanguage,GetCurrentThread,GetCurrentThread,GetErrorMode,GetErrorMode,GetThreadErrorMode,

1_2_6F185EE0

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 9.2.rundll32.exe.b44230.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.b8b540.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.b8b540.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.34c4df8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.34c4df8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.34343b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.b44230.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.3114f88.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.34343b8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2fb4358.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.3114f88.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2fb4358.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.459119053.000000000341A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.462364516.0000000002F9A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.406496894.00000000034AA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.462832524.0000000000B7A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.869632887.00000000030FA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.471606182.0000000000B2A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.458372363.00000000032B5000.00000004.00000020.sdmp, type: MEMORY

System Summary:

Uses 32bit PE files

Source: 5YO8hZg21O.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Kcjcdjrdnmqurw\wsxegqzrq.heo:Zone.Identifier

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Kcjcdjrdnmqurw\

Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CACAA8		1_2_00CACAA8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9441E		1_2_00C9441E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA43B3		1_2_00CA43B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CABEC9		1_2_00CABEC9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA0ADE		1_2_00CA0ADE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CB08D1		1_2_00CB08D1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA7ED1		1_2_00CA7ED1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CACCD4		1_2_00CACCD4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CAAEEB		1_2_00CAAEEB
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CAECE3		1_2_00CAECE3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CAA8F0		1_2_00CAA8F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CADEF4		1_2_00CADEF4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C930F6		1_2_00C930F6
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA4E8A		1_2_00CA4E8A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA748A		1_2_00CA748A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9CC8D		1_2_00C9CC8D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C97283		1_2_00C97283
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CB0687		1_2_00CB0687
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CAAC9B		1_2_00CAAC9B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C93C91		1_2_00C93C91
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CAD091		1_2_00CAD091
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9AC95		1_2_00C9AC95
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA44AA		1_2_00CA44AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9DAAE		1_2_00C9DAAE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9FEA0		1_2_00C9FEA0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CAD6A7		1_2_00CAD6A7
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA78A5		1_2_00CA78A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA90BA		1_2_00CA90BA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA98BD		1_2_00CA98BD
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C95AB2		1_2_00C95AB2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9A048		1_2_00C9A048
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C92043		1_2_00C92043
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CAE441		1_2_00CAE441
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C93845		1_2_00C93845
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C92A46		1_2_00C92A46
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C92654		1_2_00C92654
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C99A57		1_2_00C99A57
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA406E		1_2_00CA406E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C91C76		1_2_00C91C76
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C98C09		1_2_00C98C09
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C91A0A		1_2_00C91A0A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9220A		1_2_00C9220A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C94C00		1_2_00C94C00
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9E21C		1_2_00C9E21C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9F41F		1_2_00C9F41F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA1C10		1_2_00CA1C10
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA5220		1_2_00CA5220
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9D223		1_2_00C9D223
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C99E22		1_2_00C99E22
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9EC27		1_2_00C9EC27
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CAF83F		1_2_00CAF83F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CB1A3C		1_2_00CB1A3C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CB25C3		1_2_00CB25C3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C96FC4		1_2_00C96FC4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9A3DF		1_2_00C9A3DF
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C955E8		1_2_00C955E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CABFE8		1_2_00CABFE8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9C5FE		1_2_00C9C5FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CB03F1		1_2_00CB03F1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9758F		1_2_00C9758F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA4D8D		1_2_00CA4D8D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C94F8E		1_2_00C94F8E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C99384		1_2_00C99384
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CAD99A		1_2_00CAD99A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CB1193		1_2_00CB1193
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9FD91		1_2_00C9FD91
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CAB397		1_2_00CAB397
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA4BAA		1_2_00CA4BAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA2FA2		1_2_00CA2FA2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA9DA1		1_2_00CA9DA1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA7BB2		1_2_00CA7BB2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CAB1B5		1_2_00CAB1B5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9BFB6		1_2_00C9BFB6
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CAF14D		1_2_00CAF14D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CB1343		1_2_00CB1343
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C93345		1_2_00C93345
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9C158		1_2_00C9C158
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C93F5C		1_2_00C93F5C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA056A		1_2_00CA056A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA1F6B		1_2_00CA1F6B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C92309		1_2_00C92309
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C93502		1_2_00C93502
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9251C		1_2_00C9251C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CAFD10		1_2_00CAFD10
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CB292B		1_2_00CB292B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C95923		1_2_00C95923
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C96B25		1_2_00C96B25
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CB0B34		1_2_00CB0B34
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F185730		1_2_6F185730
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F186620		1_2_6F186620
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F18F700		1_2_6F18F700
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F1A3780		1_2_6F1A3780
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F1AC6FE		1_2_6F1AC6FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F185EE0		1_2_6F185EE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F19DC5D		1_2_6F19DC5D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F191CD0		1_2_6F191CD0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F19DA2D		1_2_6F19DA2D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F19A29D		1_2_6F19A29D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F182A80		1_2_6F182A80
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F1B3074		1_2_6F1B3074
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313056A		3_2_0313056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313D99A		3_2_0313D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03129384		3_2_03129384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03137BB2		3_2_03137BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312441E		3_2_0312441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312F41F		3_2_0312F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03124C00		3_2_03124C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03122043		3_2_03122043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03122A46		3_2_03122A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03123845		3_2_03123845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_031390BA		3_2_031390BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313CAA8		3_2_0313CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_031408D1		3_2_031408D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313DEF4		3_2_0313DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313ECE3		3_2_0313ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313AEEB		3_2_0313AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313FD10		3_2_0313FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312251C		3_2_0312251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03123502		3_2_03123502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03122309		3_2_03122309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03140B34		3_2_03140B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03125923		3_2_03125923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03126B25		3_2_03126B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0314292B		3_2_0314292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312C158		3_2_0312C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03123F5C		3_2_03123F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03123345		3_2_03123345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03141343		3_2_03141343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313F14D		3_2_0313F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313577E		3_2_0313577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03131F6B		3_2_03131F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312FD91		3_2_0312FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313B397		3_2_0313B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03141193		3_2_03141193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03124F8E		3_2_03124F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312758F		3_2_0312758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03134D8D		3_2_03134D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_031343B3		3_2_031343B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312BFB6		3_2_0312BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313B1B5		3_2_0313B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03132FA2		3_2_03132FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03139DA1		3_2_03139DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03134BAA		3_2_03134BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312A3DF		3_2_0312A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03126FC4		3_2_03126FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_031425C3		3_2_031425C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_031403F1		3_2_031403F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312C5FE		3_2_0312C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_031255E8		3_2_031255E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313BFE8		3_2_0313BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03131C10		3_2_03131C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312E21C		3_2_0312E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03121A0A		3_2_03121A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312220A		3_2_0312220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03128C09		3_2_03128C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03141A3C		3_2_03141A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313F83F		3_2_0313F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03129E22		3_2_03129E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312D223		3_2_0312D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03135220		3_2_03135220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312EC27		3_2_0312EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03129A57		3_2_03129A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03122654		3_2_03122654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313E441		3_2_0313E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312A048		3_2_0312A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03121C76		3_2_03121C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313406E		3_2_0313406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313D091		3_2_0313D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03123C91		3_2_03123C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312AC95		3_2_0312AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313AC9B		3_2_0313AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03127283		3_2_03127283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03140687		3_2_03140687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03134E8A		3_2_03134E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313748A		3_2_0313748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312CC8D		3_2_0312CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03125AB2		3_2_03125AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_031398BD		3_2_031398BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312FEA0		3_2_0312FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313D6A7		3_2_0313D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_031378A5		3_2_031378A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_031344AA		3_2_031344AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312DAAE		3_2_0312DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03137ED1		3_2_03137ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313CCD4		3_2_0313CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03130ADE		3_2_03130ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313BEC9		3_2_0313BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313A8F0		3_2_0313A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_031230F6		3_2_031230F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F185730		3_2_6F185730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F186620		3_2_6F186620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F18F700		3_2_6F18F700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F1A3780		3_2_6F1A3780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F1AC6FE		3_2_6F1AC6FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F185EE0		3_2_6F185EE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F19DC5D		3_2_6F19DC5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F197C47		3_2_6F197C47
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F191CD0		3_2_6F191CD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F19DA2D		3_2_6F19DA2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F19A29D		3_2_6F19A29D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F182A80		3_2_6F182A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F1B1929		3_2_6F1B1929
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F1B3074		3_2_6F1B3074
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_033243B3		5_2_033243B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331441E		5_2_0331441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332CAA8		5_2_0332CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03330B34		5_2_03330B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03315923		5_2_03315923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03316B25		5_2_03316B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0333292B		5_2_0333292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332FD10		5_2_0332FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331251C		5_2_0331251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03313502		5_2_03313502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03312309		5_2_03312309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332577E		5_2_0332577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332056A		5_2_0332056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03321F6B		5_2_03321F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331C158		5_2_0331C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03313F5C		5_2_03313F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03331343		5_2_03331343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03313345		5_2_03313345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332F14D		5_2_0332F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03327BB2		5_2_03327BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332B1B5		5_2_0332B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331BFB6		5_2_0331BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03322FA2		5_2_03322FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03329DA1		5_2_03329DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03324BAA		5_2_03324BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331FD91		5_2_0331FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03331193		5_2_03331193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332B397		5_2_0332B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332D99A		5_2_0332D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03319384		5_2_03319384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331758F		5_2_0331758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03324D8D		5_2_03324D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03314F8E		5_2_03314F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_033303F1		5_2_033303F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331C5FE		5_2_0331C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_033155E8		5_2_033155E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332BFE8		5_2_0332BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331A3DF		5_2_0331A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_033325C3		5_2_033325C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03316FC4		5_2_03316FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332F83F		5_2_0332F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03331A3C		5_2_03331A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03325220		5_2_03325220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331D223		5_2_0331D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03319E22		5_2_03319E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331EC27		5_2_0331EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03321C10		5_2_03321C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331E21C		5_2_0331E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331F41F		5_2_0331F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03314C00		5_2_03314C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03318C09		5_2_03318C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03311A0A		5_2_03311A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331220A		5_2_0331220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03311C76		5_2_03311C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332406E		5_2_0332406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03312654		5_2_03312654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03319A57		5_2_03319A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03312043		5_2_03312043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332E441		5_2_0332E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03313845		5_2_03313845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03312A46		5_2_03312A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331A048		5_2_0331A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03315AB2		5_2_03315AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_033290BA		5_2_033290BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_033298BD		5_2_033298BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331FEA0		5_2_0331FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332D6A7		5_2_0332D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_033278A5		5_2_033278A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_033244AA		5_2_033244AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331DAAE		5_2_0331DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03313C91		5_2_03313C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332D091		5_2_0332D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331AC95		5_2_0331AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332AC9B		5_2_0332AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03317283		5_2_03317283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03330687		5_2_03330687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03324E8A		5_2_03324E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332748A		5_2_0332748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331CC8D		5_2_0331CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332A8F0		5_2_0332A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332DEF4		5_2_0332DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_033130F6		5_2_033130F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332ECE3		5_2_0332ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332AEEB		5_2_0332AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_033308D1		5_2_033308D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03327ED1		5_2_03327ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332CCD4		5_2_0332CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03320ADE		5_2_03320ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332BEC9		5_2_0332BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0CAA8		9_2_00B0CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF441E		9_2_00AF441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B043B3		9_2_00B043B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AFDAAE		9_2_00AFDAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B090BA		9_2_00B090BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B098BD		9_2_00B098BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AFFEA0		9_2_00AFFEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B078A5		9_2_00B078A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0D6A7		9_2_00B0D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B044AA		9_2_00B044AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF5AB2		9_2_00AF5AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0D091		9_2_00B0D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AFCC8D		9_2_00AFCC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0AC9B		9_2_00B0AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF7283		9_2_00AF7283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B10687		9_2_00B10687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B04E8A		9_2_00B04E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0748A		9_2_00B0748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AFAC95		9_2_00AFAC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF3C91		9_2_00AF3C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0A8F0		9_2_00B0A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0DEF4		9_2_00B0DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0ECE3		9_2_00B0ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF30F6		9_2_00AF30F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0AEEB		9_2_00B0AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B108D1		9_2_00B108D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B07ED1		9_2_00B07ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0CCD4		9_2_00B0CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B00ADE		9_2_00B00ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0BEC9		9_2_00B0BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AFEC27		9_2_00AFEC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AFD223		9_2_00AFD223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF9E22		9_2_00AF9E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B11A3C		9_2_00B11A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0F83F		9_2_00B0F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B05220		9_2_00B05220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B01C10		9_2_00B01C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF1A0A		9_2_00AF1A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF220A		9_2_00AF220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF8C09		9_2_00AF8C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF4C00		9_2_00AF4C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AFF41F		9_2_00AFF41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AFE21C		9_2_00AFE21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF1C76		9_2_00AF1C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0406E		9_2_00B0406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AFA048		9_2_00AFA048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF2A46		9_2_00AF2A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF3845		9_2_00AF3845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF2043		9_2_00AF2043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0E441		9_2_00B0E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF9A57		9_2_00AF9A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF2654		9_2_00AF2654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B07BB2		9_2_00B07BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0B1B5		9_2_00B0B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B09DA1		9_2_00B09DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B02FA2		9_2_00B02FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AFBFB6		9_2_00AFBFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B04BAA		9_2_00B04BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF758F		9_2_00AF758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF4F8E		9_2_00AF4F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B11193		9_2_00B11193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0B397		9_2_00B0B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0D99A		9_2_00B0D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF9384		9_2_00AF9384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B04D8D		9_2_00B04D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AFFD91		9_2_00AFFD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B103F1		9_2_00B103F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF55E8		9_2_00AF55E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AFC5FE		9_2_00AFC5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0BFE8		9_2_00B0BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF6FC4		9_2_00AF6FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AFA3DF		9_2_00AFA3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B125C3		9_2_00B125C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B10B34		9_2_00B10B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF6B25		9_2_00AF6B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF5923		9_2_00AF5923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B1292B		9_2_00B1292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0FD10		9_2_00B0FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF2309		9_2_00AF2309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF3502		9_2_00AF3502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF251C		9_2_00AF251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0577E		9_2_00B0577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0056A		9_2_00B0056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B01F6B		9_2_00B01F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF3345		9_2_00AF3345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B11343		9_2_00B11343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF3F5C		9_2_00AF3F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AFC158		9_2_00AFC158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0F14D		9_2_00B0F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EAECE3		16_2_00EAECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EADEF4		16_2_00EADEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E930F6		16_2_00E930F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EB08D1		16_2_00EB08D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA7ED1		16_2_00EA7ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA44AA		16_2_00EA44AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA78A5		16_2_00EA78A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E95AB2		16_2_00E95AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA748A		16_2_00EA748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9AC95		16_2_00E9AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E92043		16_2_00E92043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E93845		16_2_00E93845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA5220		16_2_00EA5220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9EC27		16_2_00E9EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EAF83F		16_2_00EAF83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9220A		16_2_00E9220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9441E		16_2_00E9441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E955E8		16_2_00E955E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9C5FE		16_2_00E9C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA4BAA		16_2_00EA4BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA2FA2		16_2_00EA2FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9758F		16_2_00E9758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E99384		16_2_00E99384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EB0B34		16_2_00EB0B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EAAEEB		16_2_00EAAEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EAA8F0		16_2_00EAA8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EABEC9		16_2_00EABEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA0ADE		16_2_00EA0ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EACCD4		16_2_00EACCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EACAA8		16_2_00EACAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9DAAE		16_2_00E9DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9FEA0		16_2_00E9FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EAD6A7		16_2_00EAD6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA90BA		16_2_00EA90BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA98BD		16_2_00EA98BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA4E8A		16_2_00EA4E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9CC8D		16_2_00E9CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E97283		16_2_00E97283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EB0687		16_2_00EB0687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EAAC9B		16_2_00EAAC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E93C91		16_2_00E93C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EAD091		16_2_00EAD091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA406E		16_2_00EA406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E91C76		16_2_00E91C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9A048		16_2_00E9A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EAE441		16_2_00EAE441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E92A46		16_2_00E92A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E92654		16_2_00E92654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E99A57		16_2_00E99A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9D223		16_2_00E9D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E99E22		16_2_00E99E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EB1A3C		16_2_00EB1A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E98C09		16_2_00E98C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E91A0A		16_2_00E91A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E94C00		16_2_00E94C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9E21C		16_2_00E9E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9F41F		16_2_00E9F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA1C10		16_2_00EA1C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EABFE8		16_2_00EABFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EB03F1		16_2_00EB03F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EB25C3		16_2_00EB25C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E96FC4		16_2_00E96FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9A3DF		16_2_00E9A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA9DA1		16_2_00EA9DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA7BB2		16_2_00EA7BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA43B3		16_2_00EA43B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EAB1B5		16_2_00EAB1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9BFB6		16_2_00E9BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA4D8D		16_2_00EA4D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E94F8E		16_2_00E94F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EAD99A		16_2_00EAD99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9FD91		16_2_00E9FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EB1193		16_2_00EB1193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EAB397		16_2_00EAB397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA056A		16_2_00EA056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA1F6B		16_2_00EA1F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA577E		16_2_00EA577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EAF14D		16_2_00EAF14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EB1343		16_2_00EB1343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E93345		16_2_00E93345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9C158		16_2_00E9C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E93F5C		16_2_00E93F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EB292B		16_2_00EB292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E95923		16_2_00E95923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E96B25		16_2_00E96B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E92309		16_2_00E92309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E93502		16_2_00E93502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9251C		16_2_00E9251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EAFD10		16_2_00EAFD10

Found potential string decryption / allocating functions

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6F195BE0 appears 43 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6F195BE0 appears 46 times

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F1813F0 zwxnlwalmcbgmt,		1_2_6F1813F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F1813F0 zwxnlwalmcbgmt,		3_2_6F1813F0

Sample file is different than original file name gathered from version info

Source: 5YO8hZg21O.dll

Binary or memory string: OriginalFilenameErulfuaekg.dll6 vs 5YO8hZg21O.dll

Sample is known by Antivirus

Source: 5YO8hZg21O.dll

Virustotal: Detection: 21%

PE file has an executable .text section and no other executable section

Source: 5YO8hZg21O.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5YO8hZg21O.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5YO8hZg21O.dll,abziuleoxsborpb
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5YO8hZg21O.dll,aejkroaebsbxdnkhb
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kcjcdjrdnmqurw\wsxegqzrq.heo",xBPZ
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kcjcdjrdnmqurw\wsxegqzrq.heo",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5YO8hZg21O.dll,Control_RunDLL			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5YO8hZg21O.dll,abziuleoxsborpb			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5YO8hZg21O.dll,aejkroaebsbxdnkhb			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",#1			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kcjcdjrdnmqurw\wsxegqzrq.heo",xBPZ			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kcjcdjrdnmqurw\wsxegqzrq.heo",Control_RunDLL			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winDLL@29/5@0/22

Contains functionality to instantiate COM classes

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6F18BC70 SHGetFolderPathW,CoCreateInstance,

1_2_6F18BC70

Reads ini files

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Contains functionality to enum processes or threads

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 16_2_00EA1B54 CreateToolhelp32Snapshot,

16_2_00EA1B54

Runs a DLL by calling functions

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5YO8hZg21O.dll,Control_RunDLL

Contains functionality to load and extract PE file embedded resources

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6F18EBD0 LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

1_2_6F18EBD0

Reads the hosts file

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 5YO8hZg21O.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

PE file contains a valid data directory to section mapping

Source: 5YO8hZg21O.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 5YO8hZg21O.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 5YO8hZg21O.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 5YO8hZg21O.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 5YO8hZg21O.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C91229 push eax; retf		1_2_00C9129A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA6134 push edi; retf 0040h		1_2_00CA6135
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F195C26 push ecx; ret		1_2_6F195C39
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F1B8067 push ecx; ret		1_2_6F1B807A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03121229 push eax; retf		3_2_0312129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F195C26 push ecx; ret		3_2_6F195C39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F1B8067 push ecx; ret		3_2_6F1B807A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03311229 push eax; retf		5_2_0331129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF1229 push eax; retf		9_2_00AF129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E91229 push eax; retf		16_2_00E9129A

PE file contains an invalid checksum

Source: 5YO8hZg21O.dll

Static PE information: real checksum: 0x81586 should be: 0x78a30

Persistence and Installation Behavior:

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Kcjcdjrdnmqurw\wsxegqzrq.heo

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Kcjcdjrdnmqurw\wsxegqzrq.heo:Zone.Identifier read attributes | delete

Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6F197C47 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6F197C47

Disables application error messsages (SetErrorMode)

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006F186672 second address: 000000006F1866A0 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007F29A4A2E451h 0x0000000a mov edi, 0C2869DAh 0x0000000f rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006F188A23 second address: 000000006F188A36 instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007F29A4A2E74Eh 0x00000007 rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006F186672 second address: 000000006F1866A0 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007F29A4A2E451h 0x0000000a mov edi, 0C2869DAh 0x0000000f rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006F188A23 second address: 000000006F188A36 instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007F29A4A2E74Eh 0x00000007 rdtscp

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 2680	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2696	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5416	Thread sleep time: -120000s >= -30000s			Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6F186620 rdtscp

1_2_6F186620

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F1AD1EE FindFirstFileExA,		1_2_6F1AD1EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F1AD1EE FindFirstFileExA,		3_2_6F1AD1EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA1A80 FindFirstFileW,		16_2_00EA1A80

Checks the free space of harddrives

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: rundll32.exe, 00000010.00000002.869693856.0000000003173000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWX
Source: svchost.exe, 00000011.00000002.862867478.000001B689861000.00000004.00000001.sdmp	Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000006.00000002.868336172.000001CB6EC02000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: rundll32.exe, 00000010.00000002.869693856.0000000003173000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.862853839.000001B68984B000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.752514434.000001D76547C000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000011.00000002.862506728.000001B684029000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW`c
Source: svchost.exe, 00000006.00000002.868436450.000001CB6EC28000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6F19ED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_6F19ED41

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6F198508 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

1_2_6F198508

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6F186620 rdtscp

1_2_6F186620

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CADE10 mov eax, dword ptr fs:[00000030h]		1_2_00CADE10
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F186620 mov ecx, dword ptr fs:[00000030h]		1_2_6F186620
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F186510 mov eax, dword ptr fs:[00000030h]		1_2_6F186510
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F19849D mov esi, dword ptr fs:[00000030h]		1_2_6F19849D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F188A50 mov eax, dword ptr fs:[00000030h]		1_2_6F188A50
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F1A69AA mov eax, dword ptr fs:[00000030h]		1_2_6F1A69AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313DE10 mov eax, dword ptr fs:[00000030h]		3_2_0313DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F186620 mov ecx, dword ptr fs:[00000030h]		3_2_6F186620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F186510 mov eax, dword ptr fs:[00000030h]		3_2_6F186510
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F19849D mov esi, dword ptr fs:[00000030h]		3_2_6F19849D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F188A50 mov eax, dword ptr fs:[00000030h]		3_2_6F188A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F1A69AA mov eax, dword ptr fs:[00000030h]		3_2_6F1A69AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332DE10 mov eax, dword ptr fs:[00000030h]		5_2_0332DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0DE10 mov eax, dword ptr fs:[00000030h]		9_2_00B0DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EADE10 mov eax, dword ptr fs:[00000030h]		16_2_00EADE10

Contains functionality to register its own exception handler

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F19ED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_6F19ED41
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F195239 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		1_2_6F195239
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F195ABD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_6F195ABD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F19ED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		3_2_6F19ED41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F195239 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		3_2_6F195239
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F195ABD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		3_2_6F195ABD

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 51.178.61.60 187

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",#1

Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: rundll32.exe, 00000010.00000002.869934032.0000000003580000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000010.00000002.869934032.0000000003580000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000010.00000002.869934032.0000000003580000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: rundll32.exe, 00000010.00000002.869934032.0000000003580000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		1_2_6F1B5F10
Source: C:\Windows\System32\loaddll32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,		1_2_6F1B57AC
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,		1_2_6F1ADD93
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,		1_2_6F1B5DE7
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,		1_2_6F1B5B0A
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,		1_2_6F1B5B97
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,		1_2_6F1B5A24
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,		1_2_6F1B5A6F
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,		1_2_6F1AE2F8
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,		1_2_6F1B597B
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,		1_2_6F1B6017
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		3_2_6F1B5F10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,		3_2_6F1B57AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		3_2_6F1ADD93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		3_2_6F1B5DE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		3_2_6F1B5B0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,		3_2_6F1B5B97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		3_2_6F1B5A24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		3_2_6F1B5A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		3_2_6F1AE2F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		3_2_6F1B597B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		3_2_6F1B6017
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		3_2_6F1B60E4

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6F195916 cpuid

1_2_6F195916

Queries the cryptographic machine GUID

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Contains functionality to query local / system time

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6F195C3C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_6F195C3C

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 9.2.rundll32.exe.b44230.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.b8b540.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.b8b540.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.34c4df8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.34c4df8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.34343b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.b44230.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.3114f88.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.34343b8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2fb4358.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.3114f88.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2fb4358.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.459119053.000000000341A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.462364516.0000000002F9A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.406496894.00000000034AA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.462832524.0000000000B7A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.869632887.00000000030FA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.471606182.0000000000B2A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.458372363.00000000032B5000.00000004.00000020.sdmp, type: MEMORY