Windows Analysis Report qrb6jVwzoe

AV Detection:

Found malware configuration

Source: 8.3.rundll32.exe.3246c20.1.raw.unpack

Malware Configuration Extractor: Emotet {"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Machine Learning detection for sample

Source: qrb6jVwzoe.dll

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: qrb6jVwzoe.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.6:49755 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: qrb6jVwzoe.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F32188A FindFirstFileExW,		3_2_6F32188A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F32188A FindFirstFileExW,		4_2_6F32188A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10011A80 FindFirstFileW,		8_2_10011A80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.6:49755 -> 51.178.61.60:443
Source: Traffic	Snort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.6:49756 -> 168.197.250.14:80
Source: Traffic	Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.6:49757 -> 45.79.33.48:8080
Source: Traffic	Snort IDS: 2404322 ET CNC Feodo Tracker Reported CnC Server TCP group 12 192.168.2.6:49760 -> 196.44.98.190:8080
Source: Traffic	Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.6:49783 -> 177.72.80.14:7080
Source: Traffic	Snort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 177.72.80.14:7080 -> 192.168.2.6:49783

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 196.44.98.190 144			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.79.33.48 144			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 168.197.250.14 80			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 51.178.61.60 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 177.72.80.14 168			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 51.178.61.60:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 45.79.33.48:8080
Source: Malware configuration extractor	IPs: 196.44.98.190:8080
Source: Malware configuration extractor	IPs: 177.72.80.14:7080
Source: Malware configuration extractor	IPs: 51.210.242.234:8080
Source: Malware configuration extractor	IPs: 185.148.169.10:8080
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 195.154.146.35:443

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: EcobandGH EcobandGH

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /BCcDzRknSjFPjuOxHLZvVqcO HTTP/1.1Cookie: QMpLEjjFd=c4U8GYO3gBQ2KCd18VNTs9PT8hpdVNqj4zLzgZE1fFI9x0SPtcMipNFNESf8CsAVem5JWMqQ8ndGaJ1DdBO6E5KdfcNjE1YapLmU92FtgBNQbP19LEuO+ya4SHRYKzrZSycrfZTK0DPGNQZNeJ6j1cioezM7bzeTQ/thQoUAbkNL0mgdSgnH4s5+Omur7YLxQg0NgsR41aDxprzsQzXD6m2hLQv3kzo0+dQAtysUr4iTrR26F9NeGzF2zkgnUERUJbSQGPdy5NBtzT8NJyvrR6k15te4INQfbmWwqTBzGbEzsQ==Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View	IP Address: 196.44.98.190 196.44.98.190

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.6:49757 -> 45.79.33.48:8080
Source: global traffic	TCP traffic: 192.168.2.6:49760 -> 196.44.98.190:8080
Source: global traffic	TCP traffic: 192.168.2.6:49783 -> 177.72.80.14:7080

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 24 Nov 2021 15:49:10 GMTContent-Type: text/htmlContent-Length: 162Connection: close

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown	TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown	TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown	TCP traffic detected without corresponding DNS query: 45.79.33.48
Source: unknown	TCP traffic detected without corresponding DNS query: 45.79.33.48
Source: unknown	TCP traffic detected without corresponding DNS query: 45.79.33.48
Source: unknown	TCP traffic detected without corresponding DNS query: 196.44.98.190
Source: unknown	TCP traffic detected without corresponding DNS query: 196.44.98.190
Source: unknown	TCP traffic detected without corresponding DNS query: 196.44.98.190
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14

Found strings which match to known social media urls

Source: svchost.exe, 00000010.00000003.472140574.00000283AB37D000.00000004.00000001.sdmp

String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z||.||797d024d-8c74-4faa-b6a6-08435801478b||1152921505694213184||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"

Source: svchost.exe, 00000010.00000003.472140574.00000283AB37D000.00000004.00000001.sdmp

String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z||.||797d024d-8c74-4faa-b6a6-08435801478b||1152921505694213184||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"

URLs found in memory or binary data

Source: svchost.exe, 00000010.00000002.488148840.00000283AB300000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.859918261.0000015DEBE88000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000010.00000002.488035561.00000283AAAEF000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.859918261.0000015DEBE88000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: 77EC63BDA74BD0D0E0426DC8F80085060.8.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 00000010.00000003.468408043.00000283AB37D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.468696929.00000283AB802000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.469811621.00000283AB374000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000015.00000003.859010868.0000015DE68AA000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.859621352.0000015DE68AC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xml
Source: svchost.exe, 00000015.00000003.859010868.0000015DE68AA000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.859621352.0000015DE68AC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anon
Source: svchost.exe, 00000015.00000003.859010868.0000015DE68AA000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.859621352.0000015DE68AC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration
Source: svchost.exe, 00000010.00000003.469811621.00000283AB374000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000010.00000003.469811621.00000283AB374000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000010.00000003.469811621.00000283AB374000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000010.00000003.469550789.00000283AB39E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.469585503.00000283AB3B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Contains functionality to download additional files from the internet

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 8_2_10021027 InternetReadFile,

8_2_10021027

Downloads files from webservers via HTTP

Source: global traffic

HTTP traffic detected: GET /BCcDzRknSjFPjuOxHLZvVqcO HTTP/1.1Cookie: QMpLEjjFd=c4U8GYO3gBQ2KCd18VNTs9PT8hpdVNqj4zLzgZE1fFI9x0SPtcMipNFNESf8CsAVem5JWMqQ8ndGaJ1DdBO6E5KdfcNjE1YapLmU92FtgBNQbP19LEuO+ya4SHRYKzrZSycrfZTK0DPGNQZNeJ6j1cioezM7bzeTQ/thQoUAbkNL0mgdSgnH4s5+Omur7YLxQg0NgsR41aDxprzsQzXD6m2hLQv3kzo0+dQAtysUr4iTrR26F9NeGzF2zkgnUERUJbSQGPdy5NBtzT8NJyvrR6k15te4INQfbmWwqTBzGbEzsQ==Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.6:49755 version: TLS 1.2

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 8.3.rundll32.exe.3246c20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.fa6a40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.3246c20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.f66ce0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.3246c20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.3246c20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.b46c68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.b46c68.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.c16c78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.f66ce0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.fa6a40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.3246c20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.c16c78.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.b46c68.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.3246c20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.3246c20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.3246c20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.c16c78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.c16c78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.b46c68.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.b46c68.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.b46c68.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.359659135.0000000000FA6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.363179746.0000000000B42000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.359231508.0000000000B46000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.494236269.0000000003233000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.359880008.0000000000C16000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.359009454.0000000000B46000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.431973841.0000000003233000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.365562801.0000000000F66000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.382797966.0000000003233000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.877277824.0000000003233000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.359302351.0000000000C16000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.361400733.0000000000BDA000.00000004.00000020.sdmp, type: MEMORY

System Summary:

Uses 32bit PE files

Source: qrb6jVwzoe.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Mkjhtkxzcnwc\pevpdfyikq.vhc:Zone.Identifier

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Mkjhtkxzcnwc\

Jump to behavior

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F31BB30		3_2_6F31BB30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F319F20		3_2_6F319F20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F31B2B0		3_2_6F31B2B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F326564		3_2_6F326564
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F31B080		3_2_6F31B080
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F31BB30		4_2_6F31BB30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F319F20		4_2_6F319F20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F31B2B0		4_2_6F31B2B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F326564		4_2_6F326564
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F31B080		4_2_6F31B080
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000441E		4_2_1000441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001CAA8		4_2_1001CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100143B3		4_2_100143B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10004C00		4_2_10004C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10008C09		4_2_10008C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10011C10		4_2_10011C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000F41F		4_2_1000F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000EC27		4_2_1000EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001F83F		4_2_1001F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001E441		4_2_1001E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10002043		4_2_10002043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10003845		4_2_10003845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000A048		4_2_1000A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001406E		4_2_1001406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001C76		4_2_10001C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001748A		4_2_1001748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000CC8D		4_2_1000CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001D091		4_2_1001D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10003C91		4_2_10003C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000AC95		4_2_1000AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001AC9B		4_2_1001AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100178A5		4_2_100178A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100144AA		4_2_100144AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100190BA		4_2_100190BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100198BD		4_2_100198BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100208D1		4_2_100208D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001CCD4		4_2_1001CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001ECE3		4_2_1001ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001A8F0		4_2_1001A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100030F6		4_2_100030F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10003502		4_2_10003502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001FD10		4_2_1001FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000251C		4_2_1000251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10005923		4_2_10005923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002292B		4_2_1002292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001F14D		4_2_1001F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000C158		4_2_1000C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001056A		4_2_1001056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10014D8D		4_2_10014D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000758F		4_2_1000758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000FD91		4_2_1000FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10021193		4_2_10021193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001D99A		4_2_1001D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10019DA1		4_2_10019DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001B1B5		4_2_1001B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100225C3		4_2_100225C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100055E8		4_2_100055E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000C5FE		4_2_1000C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001A0A		4_2_10001A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000220A		4_2_1000220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000E21C		4_2_1000E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10015220		4_2_10015220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10009E22		4_2_10009E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000D223		4_2_1000D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10021A3C		4_2_10021A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10002A46		4_2_10002A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10002654		4_2_10002654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10009A57		4_2_10009A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10007283		4_2_10007283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10020687		4_2_10020687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10014E8A		4_2_10014E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000FEA0		4_2_1000FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001D6A7		4_2_1001D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000DAAE		4_2_1000DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10005AB2		4_2_10005AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001BEC9		4_2_1001BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10017ED1		4_2_10017ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10010ADE		4_2_10010ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001AEEB		4_2_1001AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001DEF4		4_2_1001DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10002309		4_2_10002309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10006B25		4_2_10006B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10020B34		4_2_10020B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10021343		4_2_10021343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10003345		4_2_10003345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10003F5C		4_2_10003F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10011F6B		4_2_10011F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001577E		4_2_1001577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10009384		4_2_10009384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10004F8E		4_2_10004F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001B397		4_2_1001B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10012FA2		4_2_10012FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10014BAA		4_2_10014BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10017BB2		4_2_10017BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000BFB6		4_2_1000BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10006FC4		4_2_10006FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000A3DF		4_2_1000A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001BFE8		4_2_1001BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100203F1		4_2_100203F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10004C00		5_2_10004C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000441E		5_2_1000441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000F41F		5_2_1000F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10002043		5_2_10002043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10003845		5_2_10003845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10002A46		5_2_10002A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001CAA8		5_2_1001CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_100190BA		5_2_100190BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_100208D1		5_2_100208D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001ECE3		5_2_1001ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001AEEB		5_2_1001AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001DEF4		5_2_1001DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001056A		5_2_1001056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10009384		5_2_10009384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001D99A		5_2_1001D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10017BB2		5_2_10017BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10008C09		5_2_10008C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10001A0A		5_2_10001A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000220A		5_2_1000220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10011C10		5_2_10011C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000E21C		5_2_1000E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10015220		5_2_10015220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10009E22		5_2_10009E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000D223		5_2_1000D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000EC27		5_2_1000EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001F83F		5_2_1001F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10021A3C		5_2_10021A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001E441		5_2_1001E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000A048		5_2_1000A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10002654		5_2_10002654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10009A57		5_2_10009A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001406E		5_2_1001406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10001C76		5_2_10001C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10007283		5_2_10007283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10020687		5_2_10020687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10014E8A		5_2_10014E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001748A		5_2_1001748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000CC8D		5_2_1000CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001D091		5_2_1001D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10003C91		5_2_10003C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000AC95		5_2_1000AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001AC9B		5_2_1001AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000FEA0		5_2_1000FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_100178A5		5_2_100178A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001D6A7		5_2_1001D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_100144AA		5_2_100144AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000DAAE		5_2_1000DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10005AB2		5_2_10005AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_100198BD		5_2_100198BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001BEC9		5_2_1001BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10017ED1		5_2_10017ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001CCD4		5_2_1001CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10010ADE		5_2_10010ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001A8F0		5_2_1001A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_100030F6		5_2_100030F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10003502		5_2_10003502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10002309		5_2_10002309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001FD10		5_2_1001FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000251C		5_2_1000251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10005923		5_2_10005923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10006B25		5_2_10006B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1002292B		5_2_1002292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10020B34		5_2_10020B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10021343		5_2_10021343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10003345		5_2_10003345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001F14D		5_2_1001F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000C158		5_2_1000C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10003F5C		5_2_10003F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10011F6B		5_2_10011F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001577E		5_2_1001577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10014D8D		5_2_10014D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10004F8E		5_2_10004F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000758F		5_2_1000758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000FD91		5_2_1000FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10021193		5_2_10021193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001B397		5_2_1001B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10019DA1		5_2_10019DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10012FA2		5_2_10012FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10014BAA		5_2_10014BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_100143B3		5_2_100143B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001B1B5		5_2_1001B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000BFB6		5_2_1000BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_100225C3		5_2_100225C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10006FC4		5_2_10006FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000A3DF		5_2_1000A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_100055E8		5_2_100055E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001BFE8		5_2_1001BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_100203F1		5_2_100203F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000C5FE		5_2_1000C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10004C00		6_2_10004C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000441E		6_2_1000441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10003845		6_2_10003845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10002A46		6_2_10002A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100208D1		6_2_100208D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001ECE3		6_2_1001ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001AEEB		6_2_1001AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001DEF4		6_2_1001DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10009384		6_2_10009384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001D99A		6_2_1001D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10017BB2		6_2_10017BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10008C09		6_2_10008C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10001A0A		6_2_10001A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000220A		6_2_1000220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10011C10		6_2_10011C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000E21C		6_2_1000E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000F41F		6_2_1000F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10015220		6_2_10015220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10009E22		6_2_10009E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000D223		6_2_1000D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000EC27		6_2_1000EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001F83F		6_2_1001F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10021A3C		6_2_10021A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001E441		6_2_1001E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10002043		6_2_10002043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000A048		6_2_1000A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10002654		6_2_10002654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10009A57		6_2_10009A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001406E		6_2_1001406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10001C76		6_2_10001C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10007283		6_2_10007283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10020687		6_2_10020687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10014E8A		6_2_10014E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001748A		6_2_1001748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000CC8D		6_2_1000CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001D091		6_2_1001D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10003C91		6_2_10003C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000AC95		6_2_1000AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001AC9B		6_2_1001AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000FEA0		6_2_1000FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100178A5		6_2_100178A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001D6A7		6_2_1001D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001CAA8		6_2_1001CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100144AA		6_2_100144AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000DAAE		6_2_1000DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10005AB2		6_2_10005AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100190BA		6_2_100190BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100198BD		6_2_100198BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001BEC9		6_2_1001BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10017ED1		6_2_10017ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001CCD4		6_2_1001CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10010ADE		6_2_10010ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001A8F0		6_2_1001A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100030F6		6_2_100030F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10003502		6_2_10003502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10002309		6_2_10002309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001FD10		6_2_1001FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000251C		6_2_1000251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10005923		6_2_10005923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10006B25		6_2_10006B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1002292B		6_2_1002292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10020B34		6_2_10020B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10021343		6_2_10021343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10003345		6_2_10003345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001F14D		6_2_1001F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000C158		6_2_1000C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10003F5C		6_2_10003F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10011F6B		6_2_10011F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001056A		6_2_1001056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001577E		6_2_1001577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10014D8D		6_2_10014D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10004F8E		6_2_10004F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000758F		6_2_1000758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000FD91		6_2_1000FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10021193		6_2_10021193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001B397		6_2_1001B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10019DA1		6_2_10019DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10012FA2		6_2_10012FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10014BAA		6_2_10014BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100143B3		6_2_100143B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001B1B5		6_2_1001B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000BFB6		6_2_1000BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100225C3		6_2_100225C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10006FC4		6_2_10006FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000A3DF		6_2_1000A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100055E8		6_2_100055E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001BFE8		6_2_1001BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100203F1		6_2_100203F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000C5FE		6_2_1000C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000441E		7_2_1000441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001CAA8		7_2_1001CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100143B3		7_2_100143B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10004C00		7_2_10004C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10008C09		7_2_10008C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10001A0A		7_2_10001A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000220A		7_2_1000220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10011C10		7_2_10011C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000E21C		7_2_1000E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000F41F		7_2_1000F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10015220		7_2_10015220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10009E22		7_2_10009E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000D223		7_2_1000D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000EC27		7_2_1000EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001F83F		7_2_1001F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10021A3C		7_2_10021A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001E441		7_2_1001E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10002043		7_2_10002043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10003845		7_2_10003845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10002A46		7_2_10002A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000A048		7_2_1000A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10002654		7_2_10002654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10009A57		7_2_10009A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001406E		7_2_1001406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10001C76		7_2_10001C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10007283		7_2_10007283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10020687		7_2_10020687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10014E8A		7_2_10014E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001748A		7_2_1001748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000CC8D		7_2_1000CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001D091		7_2_1001D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10003C91		7_2_10003C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000AC95		7_2_1000AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001AC9B		7_2_1001AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000FEA0		7_2_1000FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100178A5		7_2_100178A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001D6A7		7_2_1001D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100144AA		7_2_100144AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000DAAE		7_2_1000DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10005AB2		7_2_10005AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100190BA		7_2_100190BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100198BD		7_2_100198BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001BEC9		7_2_1001BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10017ED1		7_2_10017ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100208D1		7_2_100208D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001CCD4		7_2_1001CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10010ADE		7_2_10010ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001ECE3		7_2_1001ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001AEEB		7_2_1001AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001A8F0		7_2_1001A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001DEF4		7_2_1001DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100030F6		7_2_100030F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10003502		7_2_10003502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10002309		7_2_10002309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001FD10		7_2_1001FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000251C		7_2_1000251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10005923		7_2_10005923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10006B25		7_2_10006B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1002292B		7_2_1002292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10020B34		7_2_10020B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10021343		7_2_10021343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10003345		7_2_10003345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001F14D		7_2_1001F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000C158		7_2_1000C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10003F5C		7_2_10003F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10011F6B		7_2_10011F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001056A		7_2_1001056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001577E		7_2_1001577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10009384		7_2_10009384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10014D8D		7_2_10014D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10004F8E		7_2_10004F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000758F		7_2_1000758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000FD91		7_2_1000FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10021193		7_2_10021193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001B397		7_2_1001B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001D99A		7_2_1001D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10019DA1		7_2_10019DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10012FA2		7_2_10012FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10014BAA		7_2_10014BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10017BB2		7_2_10017BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001B1B5		7_2_1001B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000BFB6		7_2_1000BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100225C3		7_2_100225C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10006FC4		7_2_10006FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000A3DF		7_2_1000A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100055E8		7_2_100055E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001BFE8		7_2_1001BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100203F1		7_2_100203F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000C5FE		7_2_1000C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000220A		8_2_1000220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000441E		8_2_1000441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10015220		8_2_10015220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000EC27		8_2_1000EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001F83F		8_2_1001F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10002043		8_2_10002043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10003845		8_2_10003845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001748A		8_2_1001748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000AC95		8_2_1000AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100178A5		8_2_100178A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100144AA		8_2_100144AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10005AB2		8_2_10005AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10017ED1		8_2_10017ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100208D1		8_2_100208D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001ECE3		8_2_1001ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001DEF4		8_2_1001DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100030F6		8_2_100030F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10020B34		8_2_10020B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10009384		8_2_10009384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000758F		8_2_1000758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10012FA2		8_2_10012FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10014BAA		8_2_10014BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000BFB6		8_2_1000BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10006FC4		8_2_10006FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100055E8		8_2_100055E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100203F1		8_2_100203F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000C5FE		8_2_1000C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10004C00		8_2_10004C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10008C09		8_2_10008C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10001A0A		8_2_10001A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10011C10		8_2_10011C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000E21C		8_2_1000E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000F41F		8_2_1000F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10009E22		8_2_10009E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000D223		8_2_1000D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10021A3C		8_2_10021A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001E441		8_2_1001E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10002A46		8_2_10002A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000A048		8_2_1000A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10002654		8_2_10002654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10009A57		8_2_10009A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001406E		8_2_1001406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10001C76		8_2_10001C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10007283		8_2_10007283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10020687		8_2_10020687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10014E8A		8_2_10014E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000CC8D		8_2_1000CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001D091		8_2_1001D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10003C91		8_2_10003C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001AC9B		8_2_1001AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000FEA0		8_2_1000FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001D6A7		8_2_1001D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001CAA8		8_2_1001CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000DAAE		8_2_1000DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100190BA		8_2_100190BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100198BD		8_2_100198BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001BEC9		8_2_1001BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001CCD4		8_2_1001CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10010ADE		8_2_10010ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001AEEB		8_2_1001AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001A8F0		8_2_1001A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10003502		8_2_10003502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10002309		8_2_10002309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001FD10		8_2_1001FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000251C		8_2_1000251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10005923		8_2_10005923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10006B25		8_2_10006B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1002292B		8_2_1002292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10021343		8_2_10021343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10003345		8_2_10003345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001F14D		8_2_1001F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000C158		8_2_1000C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10003F5C		8_2_10003F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10011F6B		8_2_10011F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001056A		8_2_1001056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001577E		8_2_1001577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10014D8D		8_2_10014D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10004F8E		8_2_10004F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000FD91		8_2_1000FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10021193		8_2_10021193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001B397		8_2_1001B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001D99A		8_2_1001D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10019DA1		8_2_10019DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100143B3		8_2_100143B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10017BB2		8_2_10017BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001B1B5		8_2_1001B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100225C3		8_2_100225C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000A3DF		8_2_1000A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001BFE8		8_2_1001BFE8

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 6F31D020 appears 48 times

PE file contains strange resources

Source: qrb6jVwzoe.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: qrb6jVwzoe.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\qrb6jVwzoe.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\qrb6jVwzoe.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qrb6jVwzoe.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qrb6jVwzoe.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qrb6jVwzoe.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\qrb6jVwzoe.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mkjhtkxzcnwc\pevpdfyikq.vhc",mHan
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mkjhtkxzcnwc\pevpdfyikq.vhc",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\qrb6jVwzoe.dll",#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qrb6jVwzoe.dll,Control_RunDLL			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qrb6jVwzoe.dll",#1			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qrb6jVwzoe.dll,Control_RunDLL			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\qrb6jVwzoe.dll",Control_RunDLL			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mkjhtkxzcnwc\pevpdfyikq.vhc",mHan			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mkjhtkxzcnwc\pevpdfyikq.vhc",Control_RunDLL			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Classification label

Source: classification engine

Classification label: mal92.troj.evad.winDLL@20/7@0/22

Reads ini files

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Contains functionality to enum processes or threads

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 8_2_10011B54 CreateToolhelp32Snapshot,

8_2_10011B54

Runs a DLL by calling functions

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qrb6jVwzoe.dll,Control_RunDLL

Creates mutexes

Source: C:\Windows\SysWOW64\rundll32.exe

Mutant created: \Sessions\1\BaseNamedObjects\7ce3e80173264ea19b05306b865eadf9

Reads the hosts file

Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

PE file contains a mix of data directories often seen in goodware

Source: qrb6jVwzoe.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: qrb6jVwzoe.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: qrb6jVwzoe.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: qrb6jVwzoe.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: qrb6jVwzoe.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: qrb6jVwzoe.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: qrb6jVwzoe.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Source: qrb6jVwzoe.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

PE file contains a valid data directory to section mapping

Source: qrb6jVwzoe.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: qrb6jVwzoe.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: qrb6jVwzoe.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: qrb6jVwzoe.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: qrb6jVwzoe.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F30C7C9 push esi; retf		3_2_6F30C7D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F30BAD4 push ebx; iretd		3_2_6F30BADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F30AD03 push esi; iretd		3_2_6F30AD14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F30CDEB push esp; ret		3_2_6F30CDEC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F305DD9 push eax; ret		3_2_6F305DE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F31D066 push ecx; ret		3_2_6F31D079
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F309C81 push eax; retf		3_2_6F309C83
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F30C7C9 push esi; retf		4_2_6F30C7D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F30BAD4 push ebx; iretd		4_2_6F30BADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F30AD03 push esi; iretd		4_2_6F30AD14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F30CDEB push esp; ret		4_2_6F30CDEC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F305DD9 push eax; ret		4_2_6F305DE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F31D066 push ecx; ret		4_2_6F31D079
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F309C81 push eax; retf		4_2_6F309C83
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001229 push eax; retf		4_2_1000129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10001229 push eax; retf		5_2_1000129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10001229 push eax; retf		6_2_1000129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10001229 push eax; retf		7_2_1000129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10001229 push eax; retf		8_2_1000129A

PE file contains sections with non-standard names

Source: qrb6jVwzoe.dll

Static PE information: section name: .flat

PE file contains an invalid checksum

Source: qrb6jVwzoe.dll

Static PE information: real checksum: 0x748e8 should be: 0x74470

Persistence and Installation Behavior:

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Mkjhtkxzcnwc\pevpdfyikq.vhc

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Mkjhtkxzcnwc\pevpdfyikq.vhc:Zone.Identifier read attributes | delete			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Wageozwapqd\lwcebmbtifvqy.ywx:Zone.Identifier read attributes | delete			Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\rundll32.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 1864	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1916	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6648	Thread sleep time: -30000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\loaddll32.exe

Last function: Thread delayed

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F32188A FindFirstFileExW,		3_2_6F32188A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F32188A FindFirstFileExW,		4_2_6F32188A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10011A80 FindFirstFileW,		8_2_10011A80

Checks the free space of harddrives

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: svchost.exe, 00000015.00000002.859882550.0000015DEBE60000.00000004.00000001.sdmp	Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000010.00000002.487907364.00000283AAA70000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.488027417.00000283AAAE3000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.488035561.00000283AAAEF000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.859853416.0000015DEBE4A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000015.00000002.859453634.0000015DE6829000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW]

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6F31FF39 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_6F31FF39

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6F31BB30 GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,VirtualAlloc,SetLastError,HeapFree,SetLastError,

3_2_6F31BB30

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F31F416 mov eax, dword ptr fs:[00000030h]		3_2_6F31F416
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F3214AE mov eax, dword ptr fs:[00000030h]		3_2_6F3214AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F31F416 mov eax, dword ptr fs:[00000030h]		4_2_6F31F416
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F3214AE mov eax, dword ptr fs:[00000030h]		4_2_6F3214AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001DE10 mov eax, dword ptr fs:[00000030h]		4_2_1001DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001DE10 mov eax, dword ptr fs:[00000030h]		5_2_1001DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001DE10 mov eax, dword ptr fs:[00000030h]		6_2_1001DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001DE10 mov eax, dword ptr fs:[00000030h]		7_2_1001DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001DE10 mov eax, dword ptr fs:[00000030h]		8_2_1001DE10

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll32.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to register its own exception handler

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F31FF39 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		3_2_6F31FF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F31C66F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		3_2_6F31C66F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F31CEA2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		3_2_6F31CEA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F31FF39 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		4_2_6F31FF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F31C66F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		4_2_6F31C66F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F31CEA2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		4_2_6F31CEA2

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 196.44.98.190 144			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.79.33.48 144			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 168.197.250.14 80			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 51.178.61.60 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 177.72.80.14 168			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qrb6jVwzoe.dll",#1			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qrb6jVwzoe.dll,Control_RunDLL			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: rundll32.exe, 00000008.00000002.877731004.0000000003780000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000008.00000002.877731004.0000000003780000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000008.00000002.877731004.0000000003780000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: rundll32.exe, 00000008.00000002.877731004.0000000003780000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6F31D07B cpuid

3_2_6F31D07B

Queries the cryptographic machine GUID

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Contains functionality to query local / system time

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6F31CAD3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_6F31CAD3

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 8.3.rundll32.exe.3246c20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.fa6a40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.3246c20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.f66ce0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.3246c20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.3246c20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.b46c68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.b46c68.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.c16c78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.f66ce0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.fa6a40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.3246c20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.c16c78.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.b46c68.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.3246c20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.3246c20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.3246c20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.c16c78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.c16c78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.b46c68.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.b46c68.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.b46c68.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.359659135.0000000000FA6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.363179746.0000000000B42000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.359231508.0000000000B46000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.494236269.0000000003233000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.359880008.0000000000C16000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.359009454.0000000000B46000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.431973841.0000000003233000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.365562801.0000000000F66000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.382797966.0000000003233000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.877277824.0000000003233000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.359302351.0000000000C16000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.361400733.0000000000BDA000.00000004.00000020.sdmp, type: MEMORY