Windows Analysis Report wNjqkrm8pH

Overview

General Information

Sample Name: wNjqkrm8pH (renamed file extension from none to dll)
Analysis ID: 524862
MD5: 699b39c805f6a366707eb9a0e580bc0d
SHA1: 04489a4c9d50b62a9ff16f5baa67f568b2eb46ed
SHA256: 142d330305cf2bba895b000b9c7c2da6c6b38cb728d3fb347da8dd9f0bed4845
Tags: 32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 2.2.rundll32.exe.e45298.1.raw.unpack Malware Configuration Extractor: Emotet {"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}
Multi AV Scanner detection for submitted file
Source: wNjqkrm8pH.dll Virustotal: Detection: 24% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: wNjqkrm8pH.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: unknown HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.3:49747 version: TLS 1.2
Source: wNjqkrm8pH.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9DD1EE FindFirstFileExA, 0_2_6E9DD1EE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E9DD1EE FindFirstFileExA, 2_2_6E9DD1EE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EB1A80 FindFirstFileW, 14_2_00EB1A80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.3:49747 -> 51.178.61.60:443
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 51.178.61.60 187 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 51.178.61.60:443
Source: Malware configuration extractor IPs: 168.197.250.14:80
Source: Malware configuration extractor IPs: 45.79.33.48:8080
Source: Malware configuration extractor IPs: 196.44.98.190:8080
Source: Malware configuration extractor IPs: 177.72.80.14:7080
Source: Malware configuration extractor IPs: 51.210.242.234:8080
Source: Malware configuration extractor IPs: 185.148.169.10:8080
Source: Malware configuration extractor IPs: 142.4.219.173:8080
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 78.46.73.125:443
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 37.59.209.141:8080
Source: Malware configuration extractor IPs: 191.252.103.16:80
Source: Malware configuration extractor IPs: 54.38.242.185:443
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 54.37.228.122:443
Source: Malware configuration extractor IPs: 207.148.81.119:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 66.42.57.149:443
Source: Malware configuration extractor IPs: 195.154.146.35:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: EcobandGH EcobandGH
Source: Joe Sandbox View ASN Name: HETZNER-ASDE HETZNER-ASDE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /BJKdnuOnKNLLGEDBpJpeXPiWYvJQgGvoYhhdIpnN HTTP/1.1Cookie: kpcXAWpZfRkJEAy=i+5bJ+1ZInDjvfPM+1JhKt+KWj8rVMERTO3MBxIOillAvxAx2ioHmQPbtLgNLA6EGFRwLshnv6kCnZWyIXAgbMZzd1u5zeY7pIcnc7NYlk4ptgX0JiJVkIXW1dfaYySomVYPcSiwpIcomQgIb/a5XevS7QE2etUd+zxfOWZFj62QjzAO7FAj4VKuBSkPo+IBUjmiQKTNcL09qokscyBsIQcAMaCCPfrdl8uN2W5z+g+7Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View IP Address: 196.44.98.190 196.44.98.190
Source: Joe Sandbox View IP Address: 78.46.73.125 78.46.73.125
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: svchost.exe, 00000019.00000003.612262816.0000025AA9597000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z||.||2bbf585d-742f-4e5f-bf99-34064e28fbbf||1152921505694183347||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000019.00000003.612262816.0000025AA9597000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z||.||2bbf585d-742f-4e5f-bf99-34064e28fbbf||1152921505694183347||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000019.00000002.631623148.0000025AA8CEB000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000019.00000002.631623148.0000025AA8CEB000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000019.00000002.631915215.0000025AA9572000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606542705.0000025AA959A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606523146.0000025AA958A000.00000004.00000001.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000019.00000002.631915215.0000025AA9572000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606542705.0000025AA959A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606523146.0000025AA958A000.00000004.00000001.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000019.00000002.631915215.0000025AA9572000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606542705.0000025AA959A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606523146.0000025AA958A000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000019.00000002.631915215.0000025AA9572000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606542705.0000025AA959A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606523146.0000025AA958A000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000019.00000003.607542266.0000025AA9575000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.607594577.0000025AA9599000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EC1027 InternetReadFile, 14_2_00EC1027
Source: global traffic HTTP traffic detected: GET /BJKdnuOnKNLLGEDBpJpeXPiWYvJQgGvoYhhdIpnN HTTP/1.1Cookie: kpcXAWpZfRkJEAy=i+5bJ+1ZInDjvfPM+1JhKt+KWj8rVMERTO3MBxIOillAvxAx2ioHmQPbtLgNLA6EGFRwLshnv6kCnZWyIXAgbMZzd1u5zeY7pIcnc7NYlk4ptgX0JiJVkIXW1dfaYySomVYPcSiwpIcomQgIb/a5XevS7QE2etUd+zxfOWZFj62QjzAO7FAj4VKuBSkPo+IBUjmiQKTNcL09qokscyBsIQcAMaCCPfrdl8uN2W5z+g+7Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.3:49747 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9B5EE0 GetClipboardViewer,GetClipboardViewer,GetSystemDefaultLangID,GetOpenClipboardWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetCurrentThread,GetForegroundWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,AnyPopup,GetUserDefaultUILanguage,GetUserDefaultUILanguage,GetCurrentThread,GetCurrentThread,GetErrorMode,GetErrorMode,GetThreadErrorMode, 0_2_6E9B5EE0

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 4.2.rundll32.exe.3304250.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.d341f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3464320.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.d341f8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.32a6388.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.e45298.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3304250.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3464320.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.32a6388.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.e45298.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.352402052.000000000344A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.415487729.000000000117D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.413760673.0000000000D1A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.426884632.000000000328A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.415304095.00000000032EA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.816631755.0000000000C67000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.352283785.0000000000E2A000.00000004.00000020.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: wNjqkrm8pH.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Hsngzdtsiohsyp\jlodhhplzusb.iie:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Hsngzdtsiohsyp\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010543B3 0_2_010543B3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0104441E 0_2_0104441E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0105CAA8 0_2_0105CAA8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01043502 0_2_01043502
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01042309 0_2_01042309
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0105FD10 0_2_0105FD10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0104251C 0_2_0104251C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01046B25 0_2_01046B25
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01045923 0_2_01045923
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0106292B 0_2_0106292B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01060B34 0_2_01060B34
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01043345 0_2_01043345
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01061343 0_2_01061343
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0105F14D 0_2_0105F14D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01043F5C 0_2_01043F5C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0104C158 0_2_0104C158
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01051F6B 0_2_01051F6B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0105056A 0_2_0105056A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0105577E 0_2_0105577E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01049384 0_2_01049384
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01054D8D 0_2_01054D8D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01044F8E 0_2_01044F8E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0104758F 0_2_0104758F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0105B397 0_2_0105B397
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0104FD91 0_2_0104FD91
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01061193 0_2_01061193
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0105D99A 0_2_0105D99A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01059DA1 0_2_01059DA1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01052FA2 0_2_01052FA2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01054BAA 0_2_01054BAA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0105B1B5 0_2_0105B1B5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0104BFB6 0_2_0104BFB6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01057BB2 0_2_01057BB2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01046FC4 0_2_01046FC4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010625C3 0_2_010625C3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0104A3DF 0_2_0104A3DF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0105BFE8 0_2_0105BFE8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010603F1 0_2_010603F1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0104C5FE 0_2_0104C5FE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01044C00 0_2_01044C00
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01048C09 0_2_01048C09
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01041A0A 0_2_01041A0A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0104220A 0_2_0104220A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01051C10 0_2_01051C10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0104E21C 0_2_0104E21C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0104F41F 0_2_0104F41F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0104EC27 0_2_0104EC27
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01055220 0_2_01055220
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01049E22 0_2_01049E22
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0104D223 0_2_0104D223
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0105F83F 0_2_0105F83F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01061A3C 0_2_01061A3C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01043845 0_2_01043845
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01042A46 0_2_01042A46
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0105E441 0_2_0105E441
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01042043 0_2_01042043
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0104A048 0_2_0104A048
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01042654 0_2_01042654
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01049A57 0_2_01049A57
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0105406E 0_2_0105406E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01041C76 0_2_01041C76
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01060687 0_2_01060687
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01047283 0_2_01047283
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0104CC8D 0_2_0104CC8D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01054E8A 0_2_01054E8A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0105748A 0_2_0105748A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0104AC95 0_2_0104AC95
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0105D091 0_2_0105D091
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01043C91 0_2_01043C91
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0105AC9B 0_2_0105AC9B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010578A5 0_2_010578A5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0105D6A7 0_2_0105D6A7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0104FEA0 0_2_0104FEA0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010544AA 0_2_010544AA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01045AB2 0_2_01045AB2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010598BD 0_2_010598BD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010590BA 0_2_010590BA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0105BEC9 0_2_0105BEC9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0105CCD4 0_2_0105CCD4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01057ED1 0_2_01057ED1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010608D1 0_2_010608D1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01050ADE 0_2_01050ADE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0105ECE3 0_2_0105ECE3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0105AEEB 0_2_0105AEEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0105DEF4 0_2_0105DEF4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010430F6 0_2_010430F6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9B6620 0_2_6E9B6620
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9B5730 0_2_6E9B5730
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9DC6FE 0_2_6E9DC6FE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9B5EE0 0_2_6E9B5EE0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9CA60F 0_2_6E9CA60F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9CAE3B 0_2_6E9CAE3B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9D3780 0_2_6E9D3780
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9BF700 0_2_6E9BF700
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9C1CD0 0_2_6E9C1CD0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9CDC5D 0_2_6E9CDC5D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9C7C47 0_2_6E9C7C47
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9CA29D 0_2_6E9CA29D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9B2A80 0_2_6E9B2A80
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9CDA2D 0_2_6E9CDA2D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9CAB80 0_2_6E9CAB80
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9CA8B9 0_2_6E9CA8B9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9E3074 0_2_6E9E3074
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9CA1F0 0_2_6E9CA1F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9E1929 0_2_6E9E1929
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D108D1 2_2_00D108D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D0DEF4 2_2_00D0DEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D0ECE3 2_2_00D0ECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D0AEEB 2_2_00D0AEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D090BA 2_2_00D090BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D0CAA8 2_2_00D0CAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CF2A46 2_2_00CF2A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CF3845 2_2_00CF3845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CF2043 2_2_00CF2043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CF4C00 2_2_00CF4C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CFF41F 2_2_00CFF41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CF441E 2_2_00CF441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D0D99A 2_2_00D0D99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CF9384 2_2_00CF9384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D07BB2 2_2_00D07BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D0056A 2_2_00D0056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D07ED1 2_2_00D07ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D0CCD4 2_2_00D0CCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D00ADE 2_2_00D00ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D0BEC9 2_2_00D0BEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D0A8F0 2_2_00D0A8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CF30F6 2_2_00CF30F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D0D091 2_2_00D0D091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CFCC8D 2_2_00CFCC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D0AC9B 2_2_00D0AC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CF7283 2_2_00CF7283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D10687 2_2_00D10687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D04E8A 2_2_00D04E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D0748A 2_2_00D0748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CFAC95 2_2_00CFAC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CF3C91 2_2_00CF3C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CFDAAE 2_2_00CFDAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D098BD 2_2_00D098BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CFFEA0 2_2_00CFFEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D078A5 2_2_00D078A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D0D6A7 2_2_00D0D6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D044AA 2_2_00D044AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CF5AB2 2_2_00CF5AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CFA048 2_2_00CFA048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D0E441 2_2_00D0E441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CF9A57 2_2_00CF9A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CF2654 2_2_00CF2654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CF1C76 2_2_00CF1C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D0406E 2_2_00D0406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D01C10 2_2_00D01C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CF1A0A 2_2_00CF1A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CF220A 2_2_00CF220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CF8C09 2_2_00CF8C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CFE21C 2_2_00CFE21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CFEC27 2_2_00CFEC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CFD223 2_2_00CFD223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CF9E22 2_2_00CF9E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D11A3C 2_2_00D11A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D0F83F 2_2_00D0F83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D05220 2_2_00D05220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CF6FC4 2_2_00CF6FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CFA3DF 2_2_00CFA3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D125C3 2_2_00D125C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D103F1 2_2_00D103F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CF55E8 2_2_00CF55E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CFC5FE 2_2_00CFC5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D0BFE8 2_2_00D0BFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CF758F 2_2_00CF758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CF4F8E 2_2_00CF4F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D11193 2_2_00D11193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D0B397 2_2_00D0B397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D04D8D 2_2_00D04D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CFFD91 2_2_00CFFD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D043B3 2_2_00D043B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D0B1B5 2_2_00D0B1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D09DA1 2_2_00D09DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D02FA2 2_2_00D02FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CFBFB6 2_2_00CFBFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D04BAA 2_2_00D04BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CF3345 2_2_00CF3345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D11343 2_2_00D11343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CF3F5C 2_2_00CF3F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CFC158 2_2_00CFC158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D0F14D 2_2_00D0F14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D0577E 2_2_00D0577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D01F6B 2_2_00D01F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D0FD10 2_2_00D0FD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CF2309 2_2_00CF2309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CF3502 2_2_00CF3502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CF251C 2_2_00CF251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D10B34 2_2_00D10B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CF6B25 2_2_00CF6B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CF5923 2_2_00CF5923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D1292B 2_2_00D1292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E9B6620 2_2_6E9B6620
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E9B5730 2_2_6E9B5730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E9DC6FE 2_2_6E9DC6FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E9B5EE0 2_2_6E9B5EE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E9D3780 2_2_6E9D3780
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E9BF700 2_2_6E9BF700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E9C1CD0 2_2_6E9C1CD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E9CDC5D 2_2_6E9CDC5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E9C7C47 2_2_6E9C7C47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E9CA29D 2_2_6E9CA29D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E9B2A80 2_2_6E9B2A80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E9CDA2D 2_2_6E9CDA2D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E9E3074 2_2_6E9E3074
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E9E1929 2_2_6E9E1929
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_032443B3 3_2_032443B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0323441E 3_2_0323441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0324CAA8 3_2_0324CAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03235923 3_2_03235923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03236B25 3_2_03236B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0325292B 3_2_0325292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03250B34 3_2_03250B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03233502 3_2_03233502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03232309 3_2_03232309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0324FD10 3_2_0324FD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0323251C 3_2_0323251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0324056A 3_2_0324056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03241F6B 3_2_03241F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0324577E 3_2_0324577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03233345 3_2_03233345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03251343 3_2_03251343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0324F14D 3_2_0324F14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0323C158 3_2_0323C158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03233F5C 3_2_03233F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03249DA1 3_2_03249DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03242FA2 3_2_03242FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03244BAA 3_2_03244BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0324B1B5 3_2_0324B1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0323BFB6 3_2_0323BFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03247BB2 3_2_03247BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03239384 3_2_03239384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03244D8D 3_2_03244D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0323758F 3_2_0323758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03234F8E 3_2_03234F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0323FD91 3_2_0323FD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0324B397 3_2_0324B397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03251193 3_2_03251193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0324D99A 3_2_0324D99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0324BFE8 3_2_0324BFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_032503F1 3_2_032503F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0323C5FE 3_2_0323C5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_032525C3 3_2_032525C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03236FC4 3_2_03236FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0323A3DF 3_2_0323A3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0323D223 3_2_0323D223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03239E22 3_2_03239E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03245220 3_2_03245220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0323EC27 3_2_0323EC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03251A3C 3_2_03251A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0324F83F 3_2_0324F83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03234C00 3_2_03234C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03231A0A 3_2_03231A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0323220A 3_2_0323220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03238C09 3_2_03238C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03241C10 3_2_03241C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0323F41F 3_2_0323F41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0323E21C 3_2_0323E21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0324406E 3_2_0324406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03231C76 3_2_03231C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03232043 3_2_03232043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03232A46 3_2_03232A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0324E441 3_2_0324E441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03233845 3_2_03233845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0323A048 3_2_0323A048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03239A57 3_2_03239A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03232654 3_2_03232654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_032478A5 3_2_032478A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0323FEA0 3_2_0323FEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0324D6A7 3_2_0324D6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_032444AA 3_2_032444AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03235AB2 3_2_03235AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_032498BD 3_2_032498BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_032490BA 3_2_032490BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03237283 3_2_03237283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03250687 3_2_03250687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03244E8A 3_2_03244E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0324748A 3_2_0324748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0323CC8D 3_2_0323CC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03233C91 3_2_03233C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0324D091 3_2_0324D091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0323AC95 3_2_0323AC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0324AC9B 3_2_0324AC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0324ECE3 3_2_0324ECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0324AEEB 3_2_0324AEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0324DEF4 3_2_0324DEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_032330F6 3_2_032330F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0324BEC9 3_2_0324BEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0324CCD4 3_2_0324CCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_032508D1 3_2_032508D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03247ED1 3_2_03247ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03240ADE 3_2_03240ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B3CAA8 5_2_00B3CAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B2441E 5_2_00B2441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B343B3 5_2_00B343B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B25AB2 5_2_00B25AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B390BA 5_2_00B390BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B398BD 5_2_00B398BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B2FEA0 5_2_00B2FEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B3D6A7 5_2_00B3D6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B378A5 5_2_00B378A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B344AA 5_2_00B344AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B3D091 5_2_00B3D091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B23C91 5_2_00B23C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B2AC95 5_2_00B2AC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B3AC9B 5_2_00B3AC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B27283 5_2_00B27283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B40687 5_2_00B40687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B34E8A 5_2_00B34E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B3748A 5_2_00B3748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B2CC8D 5_2_00B2CC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B230F6 5_2_00B230F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B3DEF4 5_2_00B3DEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B3ECE3 5_2_00B3ECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B3AEEB 5_2_00B3AEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B37ED1 5_2_00B37ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B408D1 5_2_00B408D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B3CCD4 5_2_00B3CCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B30ADE 5_2_00B30ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B3BEC9 5_2_00B3BEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B41A3C 5_2_00B41A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B3F83F 5_2_00B3F83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B29E22 5_2_00B29E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B2D223 5_2_00B2D223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B35220 5_2_00B35220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B2EC27 5_2_00B2EC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B31C10 5_2_00B31C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B2F41F 5_2_00B2F41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B2E21C 5_2_00B2E21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B24C00 5_2_00B24C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B21A0A 5_2_00B21A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B2220A 5_2_00B2220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B28C09 5_2_00B28C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B21C76 5_2_00B21C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B3406E 5_2_00B3406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B29A57 5_2_00B29A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B22654 5_2_00B22654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B22043 5_2_00B22043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B3E441 5_2_00B3E441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B22A46 5_2_00B22A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B23845 5_2_00B23845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B2A048 5_2_00B2A048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B37BB2 5_2_00B37BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B2BFB6 5_2_00B2BFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B3B1B5 5_2_00B3B1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B32FA2 5_2_00B32FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B39DA1 5_2_00B39DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B34BAA 5_2_00B34BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B2FD91 5_2_00B2FD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B3B397 5_2_00B3B397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B41193 5_2_00B41193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B3D99A 5_2_00B3D99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B29384 5_2_00B29384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B24F8E 5_2_00B24F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B2758F 5_2_00B2758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B34D8D 5_2_00B34D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B403F1 5_2_00B403F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B2C5FE 5_2_00B2C5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B3BFE8 5_2_00B3BFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B2A3DF 5_2_00B2A3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B26FC4 5_2_00B26FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B425C3 5_2_00B425C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B40B34 5_2_00B40B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B25923 5_2_00B25923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B26B25 5_2_00B26B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B4292B 5_2_00B4292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B3FD10 5_2_00B3FD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B2251C 5_2_00B2251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B23502 5_2_00B23502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B22309 5_2_00B22309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B3577E 5_2_00B3577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B31F6B 5_2_00B31F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B3056A 5_2_00B3056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B2C158 5_2_00B2C158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B23F5C 5_2_00B23F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B23345 5_2_00B23345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B41343 5_2_00B41343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B3F14D 5_2_00B3F14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EBECE3 14_2_00EBECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EA30F6 14_2_00EA30F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EBDEF4 14_2_00EBDEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EB7ED1 14_2_00EB7ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EC08D1 14_2_00EC08D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EB44AA 14_2_00EB44AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EB78A5 14_2_00EB78A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EA5AB2 14_2_00EA5AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EB748A 14_2_00EB748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EAAC95 14_2_00EAAC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EA2043 14_2_00EA2043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EA3845 14_2_00EA3845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EB5220 14_2_00EB5220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EAEC27 14_2_00EAEC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EBF83F 14_2_00EBF83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EA220A 14_2_00EA220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EA441E 14_2_00EA441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EA55E8 14_2_00EA55E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EAC5FE 14_2_00EAC5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EB4BAA 14_2_00EB4BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EB2FA2 14_2_00EB2FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EA758F 14_2_00EA758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EA9384 14_2_00EA9384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EC0B34 14_2_00EC0B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EBAEEB 14_2_00EBAEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EBA8F0 14_2_00EBA8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EBBEC9 14_2_00EBBEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EB0ADE 14_2_00EB0ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EBCCD4 14_2_00EBCCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EBCAA8 14_2_00EBCAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EADAAE 14_2_00EADAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EAFEA0 14_2_00EAFEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EBD6A7 14_2_00EBD6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EB90BA 14_2_00EB90BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EB98BD 14_2_00EB98BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EB4E8A 14_2_00EB4E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EACC8D 14_2_00EACC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EA7283 14_2_00EA7283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EC0687 14_2_00EC0687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EBAC9B 14_2_00EBAC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EBD091 14_2_00EBD091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EA3C91 14_2_00EA3C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EB406E 14_2_00EB406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EA1C76 14_2_00EA1C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EAA048 14_2_00EAA048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EBE441 14_2_00EBE441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EA2A46 14_2_00EA2A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EA9A57 14_2_00EA9A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EA2654 14_2_00EA2654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EA9E22 14_2_00EA9E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EAD223 14_2_00EAD223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EC1A3C 14_2_00EC1A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EA1A0A 14_2_00EA1A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EA8C09 14_2_00EA8C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EA4C00 14_2_00EA4C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EAF41F 14_2_00EAF41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EAE21C 14_2_00EAE21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EB1C10 14_2_00EB1C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EBBFE8 14_2_00EBBFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EC03F1 14_2_00EC03F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EA6FC4 14_2_00EA6FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EC25C3 14_2_00EC25C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EAA3DF 14_2_00EAA3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EB9DA1 14_2_00EB9DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EB43B3 14_2_00EB43B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EB7BB2 14_2_00EB7BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EABFB6 14_2_00EABFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EBB1B5 14_2_00EBB1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EA4F8E 14_2_00EA4F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EB4D8D 14_2_00EB4D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EBD99A 14_2_00EBD99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EAFD91 14_2_00EAFD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EBB397 14_2_00EBB397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EC1193 14_2_00EC1193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EB1F6B 14_2_00EB1F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EB056A 14_2_00EB056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EB577E 14_2_00EB577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EBF14D 14_2_00EBF14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EA3345 14_2_00EA3345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EC1343 14_2_00EC1343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EAC158 14_2_00EAC158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EA3F5C 14_2_00EA3F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EC292B 14_2_00EC292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EA5923 14_2_00EA5923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EA6B25 14_2_00EA6B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EA2309 14_2_00EA2309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EA3502 14_2_00EA3502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EA251C 14_2_00EA251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EBFD10 14_2_00EBFD10
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E9C5BE0 appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E9C5BE0 appears 46 times
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9B13F0 zwxnlwalmcbgmt, 0_2_6E9B13F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E9B13F0 zwxnlwalmcbgmt, 2_2_6E9B13F0
Sample file is different than original file name gathered from version info
Source: wNjqkrm8pH.dll Binary or memory string: OriginalFilenameErulfuaekg.dll6 vs wNjqkrm8pH.dll
Source: wNjqkrm8pH.dll Virustotal: Detection: 24%
Source: wNjqkrm8pH.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,abziuleoxsborpb
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,aejkroaebsbxdnkhb
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hsngzdtsiohsyp\jlodhhplzusb.iie",cwqsUWjgRvl
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Hsngzdtsiohsyp\jlodhhplzusb.iie",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,abziuleoxsborpb Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,aejkroaebsbxdnkhb Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hsngzdtsiohsyp\jlodhhplzusb.iie",cwqsUWjgRvl Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Hsngzdtsiohsyp\jlodhhplzusb.iie",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@27/0@0/21
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9C3C90 CoCreateInstance, 0_2_6E9C3C90
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EB1B54 CreateToolhelp32Snapshot, 14_2_00EB1B54
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9BEBD0 LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary, 0_2_6E9BEBD0
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: wNjqkrm8pH.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: wNjqkrm8pH.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: wNjqkrm8pH.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: wNjqkrm8pH.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: wNjqkrm8pH.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: wNjqkrm8pH.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01041229 push eax; retf 0_2_0104129A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9C5C26 push ecx; ret 0_2_6E9C5C39
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9E8067 push ecx; ret 0_2_6E9E807A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00CF1229 push eax; retf 2_2_00CF129A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E9C5C26 push ecx; ret 2_2_6E9C5C39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E9E8067 push ecx; ret 2_2_6E9E807A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03231229 push eax; retf 3_2_0323129A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B21229 push eax; retf 5_2_00B2129A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EA1229 push eax; retf 14_2_00EA129A
PE file contains an invalid checksum
Source: wNjqkrm8pH.dll Static PE information: real checksum: 0x81586 should be: 0x815b6

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Hsngzdtsiohsyp\jlodhhplzusb.iie Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Hsngzdtsiohsyp\jlodhhplzusb.iie:Zone.Identifier read attributes | delete Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9C7C47 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_6E9C7C47
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006E9B6672 second address: 000000006E9B66A0 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FF1C9086B21h 0x0000000a mov edi, 0C2869DAh 0x0000000f rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006E9B8A23 second address: 000000006E9B8A36 instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FF1C90F2E9Eh 0x00000007 rdtscp
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 000000006E9B6672 second address: 000000006E9B66A0 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FF1C9086B21h 0x0000000a mov edi, 0C2869DAh 0x0000000f rdtscp
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 000000006E9B8A23 second address: 000000006E9B8A36 instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FF1C90F2E9Eh 0x00000007 rdtscp
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6596 Thread sleep time: -180000s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9B6620 rdtscp 0_2_6E9B6620
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9DD1EE FindFirstFileExA, 0_2_6E9DD1EE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E9DD1EE FindFirstFileExA, 2_2_6E9DD1EE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EB1A80 FindFirstFileW, 14_2_00EB1A80
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000019.00000002.631623148.0000025AA8CEB000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000019.00000002.631552535.0000025AA8C81000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9CED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E9CED41
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9C849D IsProcessorFeaturePresent,GetProcessHeap,HeapAlloc,InitializeSListHead,GetProcessHeap,HeapFree, 0_2_6E9C849D
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9B6620 rdtscp 0_2_6E9B6620
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0105DE10 mov eax, dword ptr fs:[00000030h] 0_2_0105DE10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9B6620 mov ecx, dword ptr fs:[00000030h] 0_2_6E9B6620
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9C849D mov esi, dword ptr fs:[00000030h] 0_2_6E9C849D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9B6510 mov eax, dword ptr fs:[00000030h] 0_2_6E9B6510
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9B8A50 mov eax, dword ptr fs:[00000030h] 0_2_6E9B8A50
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9D69AA mov eax, dword ptr fs:[00000030h] 0_2_6E9D69AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00D0DE10 mov eax, dword ptr fs:[00000030h] 2_2_00D0DE10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E9B6620 mov ecx, dword ptr fs:[00000030h] 2_2_6E9B6620
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E9C849D mov esi, dword ptr fs:[00000030h] 2_2_6E9C849D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E9B6510 mov eax, dword ptr fs:[00000030h] 2_2_6E9B6510
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E9B8A50 mov eax, dword ptr fs:[00000030h] 2_2_6E9B8A50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E9D69AA mov eax, dword ptr fs:[00000030h] 2_2_6E9D69AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0324DE10 mov eax, dword ptr fs:[00000030h] 3_2_0324DE10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B3DE10 mov eax, dword ptr fs:[00000030h] 5_2_00B3DE10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00EBDE10 mov eax, dword ptr fs:[00000030h] 14_2_00EBDE10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9CED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E9CED41
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9C5ABD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E9C5ABD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9C5239 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6E9C5239
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E9CED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6E9CED41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E9C5ABD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6E9C5ABD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E9C5239 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_6E9C5239

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 51.178.61.60 187 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",#1 Jump to behavior
Source: rundll32.exe, 0000000E.00000002.817509980.0000000003370000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: rundll32.exe, 0000000E.00000002.817509980.0000000003370000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 0000000E.00000002.817509980.0000000003370000.00000002.00020000.sdmp Binary or memory string: Progman
Source: rundll32.exe, 0000000E.00000002.817509980.0000000003370000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_6E9E57AC
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_6E9E5F10
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E9DDD93
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6E9E5DE7
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6E9DE2F8
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E9E5A24
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E9E5A6F
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_6E9E5B97
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E9E5B0A
Source: C:\Windows\System32\loaddll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_6E9E60E4
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6E9E6017
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6E9E597B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 2_2_6E9E57AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_6E9E5F10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6E9DDD93
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6E9E5DE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6E9DE2F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6E9E5A24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6E9E5A6F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 2_2_6E9E5B97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6E9E5B0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_6E9E60E4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6E9E6017
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6E9E597B
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9C5916 cpuid 0_2_6E9C5916
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9C5C3C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_6E9C5C3C

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 4.2.rundll32.exe.3304250.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.d341f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3464320.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.d341f8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.32a6388.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.e45298.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3304250.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3464320.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.32a6388.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.e45298.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.352402052.000000000344A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.415487729.000000000117D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.413760673.0000000000D1A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.426884632.000000000328A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.415304095.00000000032EA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.816631755.0000000000C67000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.352283785.0000000000E2A000.00000004.00000020.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 524862 Sample: wNjqkrm8pH Startdate: 19/11/2021 Architecture: WINDOWS Score: 100 42 85.214.67.203 STRATOSTRATOAGDE Germany 2->42 44 195.154.146.35 OnlineSASFR France 2->44 46 17 other IPs or domains 2->46 52 Sigma detected: Emotet RunDLL32 Process Creation 2->52 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Found malware configuration 2->56 58 3 other signatures 2->58 9 loaddll32.exe 1 2->9         started        12 svchost.exe 1 2->12         started        15 svchost.exe 1 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 66 Tries to detect virtualization through RDTSC time measurements 9->66 19 rundll32.exe 2 9->19         started        22 cmd.exe 1 9->22         started        24 rundll32.exe 9->24         started        26 2 other processes 9->26 50 192.168.2.1 unknown unknown 12->50 signatures6 process7 signatures8 60 Tries to detect virtualization through RDTSC time measurements 19->60 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->62 28 rundll32.exe 19->28         started        30 rundll32.exe 22->30         started        32 rundll32.exe 24->32         started        34 rundll32.exe 26->34         started        process9 process10 36 rundll32.exe 28->36         started        40 rundll32.exe 30->40         started        dnsIp11 48 51.178.61.60, 443, 49747 OVHFR France 36->48 64 System process connects to network (likely due to code injection or exploit) 36->64 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
207.148.81.119
 unknown United States
20473 AS-CHOOPAUS true
196.44.98.190
 unknown Ghana
327814 EcobandGH true
78.46.73.125
 unknown Germany
24940 HETZNER-ASDE true
37.59.209.141
 unknown France
16276 OVHFR true
85.214.67.203
 unknown Germany
6724 STRATOSTRATOAGDE true
191.252.103.16
 unknown Brazil
27715 LocawebServicosdeInternetSABR true
45.79.33.48
 unknown United States
63949 LINODE-APLinodeLLCUS true
54.37.228.122
 unknown France
16276 OVHFR true
185.148.169.10
 unknown Germany
44780 EVERSCALE-ASDE true
142.4.219.173
 unknown Canada
16276 OVHFR true
54.38.242.185
 unknown France
16276 OVHFR true
195.154.146.35
 unknown France
12876 OnlineSASFR true
195.77.239.39
 unknown Spain
60493 FICOSA-ASES true
78.47.204.80
 unknown Germany
24940 HETZNER-ASDE true
168.197.250.14
 unknown Argentina
264776 OmarAnselmoRipollTDCNETAR true
51.178.61.60
 unknown France
16276 OVHFR true
177.72.80.14
 unknown Brazil
262543 NewLifeFibraBR true
66.42.57.149
 unknown United States
20473 AS-CHOOPAUS true
37.44.244.177
 unknown Germany
47583 AS-HOSTINGERLT true
51.210.242.234
 unknown France
16276 OVHFR true

Private
IP
192.168.2.1