Windows Analysis Report cRC6TZG6Wx

Overview

General Information

Sample Name: cRC6TZG6Wx (renamed file extension from none to dll)
Analysis ID: 528001
MD5: 8f6552b136a4dd8719c898f90df1ba44
SHA1: fea5b1d5e44dc58be42e472254e9b62b5caec532
SHA256: 03995882170eb6ebacaa47f77fc0c2e8fd78e17ab5427fbe3c70b2f91f46e44d
Tags: 32dllexetrojan
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
PE file contains strange resources
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 14.2.rundll32.exe.33a6b88.0.raw.unpack Malware Configuration Extractor: Emotet {"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}
Multi AV Scanner detection for submitted file
Source: cRC6TZG6Wx.dll Virustotal: Detection: 18% Perma Link
Source: cRC6TZG6Wx.dll ReversingLabs: Detection: 17%
Machine Learning detection for sample
Source: cRC6TZG6Wx.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: cRC6TZG6Wx.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: unknown HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.3:49744 version: TLS 1.2
Source: cRC6TZG6Wx.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6EA4188A FindFirstFileExW, 7_2_6EA4188A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6EA4188A FindFirstFileExW, 8_2_6EA4188A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10011A80 FindFirstFileW, 14_2_10011A80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.3:49744 -> 51.178.61.60:443
Source: Traffic Snort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.3:49745 -> 168.197.250.14:80
Source: Traffic Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.3:49746 -> 45.79.33.48:8080
Source: Traffic Snort IDS: 2404322 ET CNC Feodo Tracker Reported CnC Server TCP group 12 192.168.2.3:49749 -> 196.44.98.190:8080
Source: Traffic Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.3:49753 -> 177.72.80.14:7080
Source: Traffic Snort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 177.72.80.14:7080 -> 192.168.2.3:49753
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 196.44.98.190 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.79.33.48 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 168.197.250.14 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 51.178.61.60 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 177.72.80.14 168 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 51.178.61.60:443
Source: Malware configuration extractor IPs: 168.197.250.14:80
Source: Malware configuration extractor IPs: 45.79.33.48:8080
Source: Malware configuration extractor IPs: 196.44.98.190:8080
Source: Malware configuration extractor IPs: 177.72.80.14:7080
Source: Malware configuration extractor IPs: 51.210.242.234:8080
Source: Malware configuration extractor IPs: 185.148.169.10:8080
Source: Malware configuration extractor IPs: 142.4.219.173:8080
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 78.46.73.125:443
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 37.59.209.141:8080
Source: Malware configuration extractor IPs: 191.252.103.16:80
Source: Malware configuration extractor IPs: 54.38.242.185:443
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 54.37.228.122:443
Source: Malware configuration extractor IPs: 207.148.81.119:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 66.42.57.149:443
Source: Malware configuration extractor IPs: 195.154.146.35:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: EcobandGH EcobandGH
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /cOCoCBOnwtlaPwqgYJsibWlqGyXElLKsrFlsKtesNMVjGBKbplkpiwohTqB HTTP/1.1Cookie: CkaS=ZjwItdmT1ECYLtgJezxI3JoumM8yxrkDUD9XymD7kyc8EbFQVqQJDR+HcOYSYNuqm3GMHu9tyWocT2ebwQjCT6CFKOh4yFKGfmNQGEMjfJcGVJjfSjxi61uxl8IdZPCLFGO75XaQUz9hc2k46HlLfbLprvARhND47YDAUKst2IWTLUjdHo81K4H5Zdm6jP/AHUWKX74rhhb7vRaxi+yY5yVTZPMAbash8y0fiFtequ8CyFQdGqZu5JTKVCv/0hHiIAyjkgSlIkQiHost: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View IP Address: 196.44.98.190 196.44.98.190
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49746 -> 45.79.33.48:8080
Source: global traffic TCP traffic: 192.168.2.3:49749 -> 196.44.98.190:8080
Source: global traffic TCP traffic: 192.168.2.3:49753 -> 177.72.80.14:7080
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 24 Nov 2021 15:50:35 GMTContent-Type: text/htmlContent-Length: 162Connection: close
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown TCP traffic detected without corresponding DNS query: 45.79.33.48
Source: unknown TCP traffic detected without corresponding DNS query: 45.79.33.48
Source: unknown TCP traffic detected without corresponding DNS query: 45.79.33.48
Source: unknown TCP traffic detected without corresponding DNS query: 196.44.98.190
Source: unknown TCP traffic detected without corresponding DNS query: 196.44.98.190
Source: unknown TCP traffic detected without corresponding DNS query: 196.44.98.190
Source: unknown TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: svchost.exe, 00000017.00000003.434121757.000002032F5A0000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z||.||797d024d-8c74-4faa-b6a6-08435801478b||1152921505694213184||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000017.00000003.434121757.000002032F5A0000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z||.||797d024d-8c74-4faa-b6a6-08435801478b||1152921505694213184||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000017.00000002.451268735.000002032F500000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000017.00000002.451129288.000002032ECE9000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: 77EC63BDA74BD0D0E0426DC8F80085060.14.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 00000017.00000002.451350633.000002032F550000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430213451.000002032F573000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430181359.000002032F5B5000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430163444.000002032F5B4000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430251345.000002032F5D3000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430226197.000002032F584000.00000004.00000001.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000000.00000002.305883375.0000025239A13000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000000.00000003.305606531.0000025239A61000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000000.00000003.305622827.0000025239A5A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000002.305987115.0000025239A5C000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305622827.0000025239A5A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000000.00000003.305606531.0000025239A61000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000000.00000002.305959174.0000025239A3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000000.00000002.305987115.0000025239A5C000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305622827.0000025239A5A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000000.00000003.305606531.0000025239A61000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000000.00000002.305978867.0000025239A4E000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305596745.0000025239A49000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000000.00000002.305987115.0000025239A5C000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305622827.0000025239A5A000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000000.00000003.305606531.0000025239A61000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000000.00000002.305959174.0000025239A3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000000.00000003.305606531.0000025239A61000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000000.00000003.305606531.0000025239A61000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000000.00000003.305606531.0000025239A61000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000000.00000003.305637691.0000025239A40000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305655077.0000025239A41000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305965440.0000025239A42000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000000.00000003.305637691.0000025239A40000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305655077.0000025239A41000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305965440.0000025239A42000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000000.00000003.305606531.0000025239A61000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000000.00000002.305987115.0000025239A5C000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305637691.0000025239A40000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305622827.0000025239A5A000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000017.00000002.451350633.000002032F550000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430213451.000002032F573000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430181359.000002032F5B5000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430163444.000002032F5B4000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430251345.000002032F5D3000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430226197.000002032F584000.00000004.00000001.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000000.00000003.305622827.0000025239A5A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000000.00000003.305622827.0000025239A5A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000000.00000002.305987115.0000025239A5C000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305622827.0000025239A5A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000000.00000003.305596745.0000025239A49000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000000.00000003.305606531.0000025239A61000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000000.00000002.305959174.0000025239A3D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000003.283882985.0000025239A31000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000000.00000002.305959174.0000025239A3D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000000.00000002.305883375.0000025239A13000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305959174.0000025239A3D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000000.00000003.283882985.0000025239A31000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000000.00000003.305649382.0000025239A45000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305637691.0000025239A40000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000000.00000003.305637691.0000025239A40000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000000.00000002.305952891.0000025239A3A000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.283882985.0000025239A31000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000000.00000002.305978867.0000025239A4E000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305596745.0000025239A49000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 00000017.00000002.451350633.000002032F550000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430213451.000002032F573000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430181359.000002032F5B5000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430163444.000002032F5B4000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430251345.000002032F5D3000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430226197.000002032F584000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000017.00000002.451350633.000002032F550000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430213451.000002032F573000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430181359.000002032F5B5000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430163444.000002032F5B4000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430251345.000002032F5D3000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430226197.000002032F584000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000017.00000003.431490413.000002032F5C6000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.431504169.000002032F5C6000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.431535096.000002032F5AF000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.431519298.000002032F58E000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.431554045.000002032FA02000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10021027 InternetReadFile, 14_2_10021027
Source: global traffic HTTP traffic detected: GET /cOCoCBOnwtlaPwqgYJsibWlqGyXElLKsrFlsKtesNMVjGBKbplkpiwohTqB HTTP/1.1Cookie: CkaS=ZjwItdmT1ECYLtgJezxI3JoumM8yxrkDUD9XymD7kyc8EbFQVqQJDR+HcOYSYNuqm3GMHu9tyWocT2ebwQjCT6CFKOh4yFKGfmNQGEMjfJcGVJjfSjxi61uxl8IdZPCLFGO75XaQUz9hc2k46HlLfbLprvARhND47YDAUKst2IWTLUjdHo81K4H5Zdm6jP/AHUWKX74rhhb7vRaxi+yY5yVTZPMAbash8y0fiFtequ8CyFQdGqZu5JTKVCv/0hHiIAyjkgSlIkQiHost: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.3:49744 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000001.00000002.293245588.0000000000F6B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 11.3.rundll32.exe.576c48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.576c48.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.d86b70.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.9c77f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.rundll32.exe.576c48.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.31d6b60.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.31d6b60.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.d86b70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.33a6b88.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.9c77f0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.576c48.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.rundll32.exe.33a6b88.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.33a6b88.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.rundll32.exe.33a6b88.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.rundll32.exe.33a6b88.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.rundll32.exe.9c77f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.rundll32.exe.33a6b88.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000003.360457905.0000000003396000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.290674131.0000000000576000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.289238760.0000000000D86000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.809828703.0000000003396000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.289903082.0000000000576000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.293376232.00000000009BF000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.296343256.00000000031D6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.289844390.0000000000576000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.289024016.00000000009C7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.413105360.0000000003396000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: cRC6TZG6Wx.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Zrrbzia\fotuyl.lzj:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Zrrbzia\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6EA3B2B0 7_2_6EA3B2B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6EA39F20 7_2_6EA39F20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6EA3BB30 7_2_6EA3BB30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6EA3B080 7_2_6EA3B080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6EA46564 7_2_6EA46564
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6EA3BB30 8_2_6EA3BB30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6EA3B2B0 8_2_6EA3B2B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6EA39F20 8_2_6EA39F20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6EA3B080 8_2_6EA3B080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6EA46564 8_2_6EA46564
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1000441E 8_2_1000441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1001CAA8 8_2_1001CAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_100143B3 8_2_100143B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10004C00 8_2_10004C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10008C09 8_2_10008C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10011C10 8_2_10011C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1000F41F 8_2_1000F41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1000EC27 8_2_1000EC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1001F83F 8_2_1001F83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1001E441 8_2_1001E441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10002043 8_2_10002043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10003845 8_2_10003845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1000A048 8_2_1000A048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1001406E 8_2_1001406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10001C76 8_2_10001C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1001748A 8_2_1001748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1000CC8D 8_2_1000CC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1001D091 8_2_1001D091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10003C91 8_2_10003C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1000AC95 8_2_1000AC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1001AC9B 8_2_1001AC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_100178A5 8_2_100178A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_100144AA 8_2_100144AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_100190BA 8_2_100190BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_100198BD 8_2_100198BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_100208D1 8_2_100208D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1001CCD4 8_2_1001CCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1001ECE3 8_2_1001ECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1001A8F0 8_2_1001A8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_100030F6 8_2_100030F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10003502 8_2_10003502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1001FD10 8_2_1001FD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1000251C 8_2_1000251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10005923 8_2_10005923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1002292B 8_2_1002292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1001F14D 8_2_1001F14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1000C158 8_2_1000C158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1001056A 8_2_1001056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10014D8D 8_2_10014D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1000758F 8_2_1000758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1000FD91 8_2_1000FD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10021193 8_2_10021193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1001D99A 8_2_1001D99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10019DA1 8_2_10019DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1001B1B5 8_2_1001B1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_100225C3 8_2_100225C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1000C5FE 8_2_1000C5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10001A0A 8_2_10001A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1000220A 8_2_1000220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1000E21C 8_2_1000E21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10015220 8_2_10015220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10009E22 8_2_10009E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1000D223 8_2_1000D223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10021A3C 8_2_10021A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10002A46 8_2_10002A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10002654 8_2_10002654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10009A57 8_2_10009A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10007283 8_2_10007283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10020687 8_2_10020687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10014E8A 8_2_10014E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1000FEA0 8_2_1000FEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1001D6A7 8_2_1001D6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10005AB2 8_2_10005AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1001BEC9 8_2_1001BEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10017ED1 8_2_10017ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10010ADE 8_2_10010ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1001AEEB 8_2_1001AEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1001DEF4 8_2_1001DEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10002309 8_2_10002309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10006B25 8_2_10006B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10020B34 8_2_10020B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10021343 8_2_10021343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10003345 8_2_10003345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10003F5C 8_2_10003F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10011F6B 8_2_10011F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1001577E 8_2_1001577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10009384 8_2_10009384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10004F8E 8_2_10004F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1001B397 8_2_1001B397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10012FA2 8_2_10012FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10014BAA 8_2_10014BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10017BB2 8_2_10017BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1000BFB6 8_2_1000BFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10006FC4 8_2_10006FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1000A3DF 8_2_1000A3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1001BFE8 8_2_1001BFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_100203F1 8_2_100203F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10004C00 10_2_10004C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1000441E 10_2_1000441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1000F41F 10_2_1000F41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10002043 10_2_10002043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10003845 10_2_10003845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10002A46 10_2_10002A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1001CAA8 10_2_1001CAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_100190BA 10_2_100190BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_100208D1 10_2_100208D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1001ECE3 10_2_1001ECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1001AEEB 10_2_1001AEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1001DEF4 10_2_1001DEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1001056A 10_2_1001056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10009384 10_2_10009384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1001D99A 10_2_1001D99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10017BB2 10_2_10017BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10008C09 10_2_10008C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10001A0A 10_2_10001A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1000220A 10_2_1000220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10011C10 10_2_10011C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1000E21C 10_2_1000E21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10015220 10_2_10015220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10009E22 10_2_10009E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1000D223 10_2_1000D223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1000EC27 10_2_1000EC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1001F83F 10_2_1001F83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10021A3C 10_2_10021A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1001E441 10_2_1001E441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1000A048 10_2_1000A048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10002654 10_2_10002654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10009A57 10_2_10009A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1001406E 10_2_1001406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10001C76 10_2_10001C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10007283 10_2_10007283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10020687 10_2_10020687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10014E8A 10_2_10014E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1001748A 10_2_1001748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1000CC8D 10_2_1000CC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1001D091 10_2_1001D091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10003C91 10_2_10003C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1000AC95 10_2_1000AC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1001AC9B 10_2_1001AC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1000FEA0 10_2_1000FEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_100178A5 10_2_100178A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1001D6A7 10_2_1001D6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_100144AA 10_2_100144AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1000DAAE 10_2_1000DAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10005AB2 10_2_10005AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_100198BD 10_2_100198BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1001BEC9 10_2_1001BEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10017ED1 10_2_10017ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1001CCD4 10_2_1001CCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10010ADE 10_2_10010ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1001A8F0 10_2_1001A8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_100030F6 10_2_100030F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10003502 10_2_10003502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10002309 10_2_10002309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1001FD10 10_2_1001FD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1000251C 10_2_1000251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10005923 10_2_10005923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10006B25 10_2_10006B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1002292B 10_2_1002292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10020B34 10_2_10020B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10021343 10_2_10021343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10003345 10_2_10003345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1001F14D 10_2_1001F14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1000C158 10_2_1000C158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10003F5C 10_2_10003F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10011F6B 10_2_10011F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1001577E 10_2_1001577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10014D8D 10_2_10014D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10004F8E 10_2_10004F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1000758F 10_2_1000758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1000FD91 10_2_1000FD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10021193 10_2_10021193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1001B397 10_2_1001B397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10019DA1 10_2_10019DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10012FA2 10_2_10012FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10014BAA 10_2_10014BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_100143B3 10_2_100143B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1001B1B5 10_2_1001B1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1000BFB6 10_2_1000BFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_100225C3 10_2_100225C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10006FC4 10_2_10006FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1000A3DF 10_2_1000A3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_100055E8 10_2_100055E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1001BFE8 10_2_1001BFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_100203F1 10_2_100203F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1000C5FE 10_2_1000C5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10004C00 11_2_10004C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1000441E 11_2_1000441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10003845 11_2_10003845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10002A46 11_2_10002A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100208D1 11_2_100208D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001ECE3 11_2_1001ECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001AEEB 11_2_1001AEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001DEF4 11_2_1001DEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10009384 11_2_10009384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001D99A 11_2_1001D99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10017BB2 11_2_10017BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10008C09 11_2_10008C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10001A0A 11_2_10001A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1000220A 11_2_1000220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10011C10 11_2_10011C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1000E21C 11_2_1000E21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1000F41F 11_2_1000F41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10015220 11_2_10015220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10009E22 11_2_10009E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1000D223 11_2_1000D223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1000EC27 11_2_1000EC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001F83F 11_2_1001F83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10021A3C 11_2_10021A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001E441 11_2_1001E441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10002043 11_2_10002043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1000A048 11_2_1000A048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10002654 11_2_10002654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10009A57 11_2_10009A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001406E 11_2_1001406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10001C76 11_2_10001C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10007283 11_2_10007283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10020687 11_2_10020687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10014E8A 11_2_10014E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001748A 11_2_1001748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1000CC8D 11_2_1000CC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001D091 11_2_1001D091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10003C91 11_2_10003C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1000AC95 11_2_1000AC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001AC9B 11_2_1001AC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1000FEA0 11_2_1000FEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100178A5 11_2_100178A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001D6A7 11_2_1001D6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001CAA8 11_2_1001CAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100144AA 11_2_100144AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1000DAAE 11_2_1000DAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10005AB2 11_2_10005AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100190BA 11_2_100190BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100198BD 11_2_100198BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001BEC9 11_2_1001BEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10017ED1 11_2_10017ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001CCD4 11_2_1001CCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10010ADE 11_2_10010ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001A8F0 11_2_1001A8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100030F6 11_2_100030F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10003502 11_2_10003502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10002309 11_2_10002309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001FD10 11_2_1001FD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1000251C 11_2_1000251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10005923 11_2_10005923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10006B25 11_2_10006B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1002292B 11_2_1002292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10020B34 11_2_10020B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10021343 11_2_10021343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10003345 11_2_10003345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001F14D 11_2_1001F14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1000C158 11_2_1000C158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10003F5C 11_2_10003F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10011F6B 11_2_10011F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001056A 11_2_1001056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001577E 11_2_1001577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10014D8D 11_2_10014D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10004F8E 11_2_10004F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1000758F 11_2_1000758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1000FD91 11_2_1000FD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10021193 11_2_10021193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001B397 11_2_1001B397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10019DA1 11_2_10019DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10012FA2 11_2_10012FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10014BAA 11_2_10014BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100143B3 11_2_100143B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001B1B5 11_2_1001B1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1000BFB6 11_2_1000BFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100225C3 11_2_100225C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10006FC4 11_2_10006FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1000A3DF 11_2_1000A3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100055E8 11_2_100055E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001BFE8 11_2_1001BFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_100203F1 11_2_100203F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1000C5FE 11_2_1000C5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1000441E 13_2_1000441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001CAA8 13_2_1001CAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_100143B3 13_2_100143B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10004C00 13_2_10004C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10008C09 13_2_10008C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10001A0A 13_2_10001A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1000220A 13_2_1000220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10011C10 13_2_10011C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1000E21C 13_2_1000E21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1000F41F 13_2_1000F41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10015220 13_2_10015220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10009E22 13_2_10009E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1000D223 13_2_1000D223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001F83F 13_2_1001F83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10021A3C 13_2_10021A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001E441 13_2_1001E441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10002043 13_2_10002043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10003845 13_2_10003845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10002A46 13_2_10002A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1000A048 13_2_1000A048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10002654 13_2_10002654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10009A57 13_2_10009A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001406E 13_2_1001406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10001C76 13_2_10001C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10007283 13_2_10007283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10020687 13_2_10020687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10014E8A 13_2_10014E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001748A 13_2_1001748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1000CC8D 13_2_1000CC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001D091 13_2_1001D091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10003C91 13_2_10003C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1000AC95 13_2_1000AC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001AC9B 13_2_1001AC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1000FEA0 13_2_1000FEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_100178A5 13_2_100178A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001D6A7 13_2_1001D6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_100144AA 13_2_100144AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10005AB2 13_2_10005AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_100190BA 13_2_100190BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_100198BD 13_2_100198BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001BEC9 13_2_1001BEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10017ED1 13_2_10017ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_100208D1 13_2_100208D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001CCD4 13_2_1001CCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10010ADE 13_2_10010ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001ECE3 13_2_1001ECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001AEEB 13_2_1001AEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001DEF4 13_2_1001DEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_100030F6 13_2_100030F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10003502 13_2_10003502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10002309 13_2_10002309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001FD10 13_2_1001FD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1000251C 13_2_1000251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10005923 13_2_10005923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10006B25 13_2_10006B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1002292B 13_2_1002292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10020B34 13_2_10020B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10021343 13_2_10021343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10003345 13_2_10003345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001F14D 13_2_1001F14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1000C158 13_2_1000C158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10003F5C 13_2_10003F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10011F6B 13_2_10011F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001056A 13_2_1001056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001577E 13_2_1001577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10009384 13_2_10009384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10014D8D 13_2_10014D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10004F8E 13_2_10004F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1000758F 13_2_1000758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1000FD91 13_2_1000FD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10021193 13_2_10021193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001B397 13_2_1001B397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001D99A 13_2_1001D99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10019DA1 13_2_10019DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10012FA2 13_2_10012FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10014BAA 13_2_10014BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10017BB2 13_2_10017BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001B1B5 13_2_1001B1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1000BFB6 13_2_1000BFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_100225C3 13_2_100225C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10006FC4 13_2_10006FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1000A3DF 13_2_1000A3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001BFE8 13_2_1001BFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_100203F1 13_2_100203F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1000C5FE 13_2_1000C5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1000220A 14_2_1000220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1000441E 14_2_1000441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10015220 14_2_10015220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1000EC27 14_2_1000EC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1001F83F 14_2_1001F83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10002043 14_2_10002043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10003845 14_2_10003845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1001748A 14_2_1001748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1000AC95 14_2_1000AC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_100178A5 14_2_100178A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_100144AA 14_2_100144AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10005AB2 14_2_10005AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10017ED1 14_2_10017ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_100208D1 14_2_100208D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1001ECE3 14_2_1001ECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1001DEF4 14_2_1001DEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_100030F6 14_2_100030F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10020B34 14_2_10020B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10009384 14_2_10009384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1000758F 14_2_1000758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10012FA2 14_2_10012FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10014BAA 14_2_10014BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1000BFB6 14_2_1000BFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10006FC4 14_2_10006FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_100055E8 14_2_100055E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_100203F1 14_2_100203F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1000C5FE 14_2_1000C5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10004C00 14_2_10004C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10008C09 14_2_10008C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10001A0A 14_2_10001A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10011C10 14_2_10011C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1000E21C 14_2_1000E21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1000F41F 14_2_1000F41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10009E22 14_2_10009E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1000D223 14_2_1000D223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10021A3C 14_2_10021A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1001E441 14_2_1001E441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10002A46 14_2_10002A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1000A048 14_2_1000A048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10002654 14_2_10002654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10009A57 14_2_10009A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1001406E 14_2_1001406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10001C76 14_2_10001C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10007283 14_2_10007283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10020687 14_2_10020687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10014E8A 14_2_10014E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1000CC8D 14_2_1000CC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1001D091 14_2_1001D091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10003C91 14_2_10003C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1001AC9B 14_2_1001AC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1000FEA0 14_2_1000FEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1001D6A7 14_2_1001D6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1001CAA8 14_2_1001CAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1000DAAE 14_2_1000DAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_100190BA 14_2_100190BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_100198BD 14_2_100198BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1001BEC9 14_2_1001BEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1001CCD4 14_2_1001CCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10010ADE 14_2_10010ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1001AEEB 14_2_1001AEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1001A8F0 14_2_1001A8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10003502 14_2_10003502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10002309 14_2_10002309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1001FD10 14_2_1001FD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1000251C 14_2_1000251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10005923 14_2_10005923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10006B25 14_2_10006B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1002292B 14_2_1002292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10021343 14_2_10021343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10003345 14_2_10003345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1001F14D 14_2_1001F14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1000C158 14_2_1000C158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10003F5C 14_2_10003F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10011F6B 14_2_10011F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1001056A 14_2_1001056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1001577E 14_2_1001577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10014D8D 14_2_10014D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10004F8E 14_2_10004F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1000FD91 14_2_1000FD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10021193 14_2_10021193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1001B397 14_2_1001B397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1001D99A 14_2_1001D99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10019DA1 14_2_10019DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_100143B3 14_2_100143B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10017BB2 14_2_10017BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1001B1B5 14_2_1001B1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_100225C3 14_2_100225C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1000A3DF 14_2_1000A3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1001BFE8 14_2_1001BFE8
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6EA3D020 appears 48 times
PE file contains strange resources
Source: cRC6TZG6Wx.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cRC6TZG6Wx.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cRC6TZG6Wx.dll Virustotal: Detection: 18%
Source: cRC6TZG6Wx.dll ReversingLabs: Detection: 17%
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\cRC6TZG6Wx.dll"
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\cRC6TZG6Wx.dll",#1
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\cRC6TZG6Wx.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cRC6TZG6Wx.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\cRC6TZG6Wx.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\cRC6TZG6Wx.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Zrrbzia\fotuyl.lzj",HSFp
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Zrrbzia\fotuyl.lzj",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\cRC6TZG6Wx.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\cRC6TZG6Wx.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cRC6TZG6Wx.dll",#1 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\cRC6TZG6Wx.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\cRC6TZG6Wx.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Zrrbzia\fotuyl.lzj",HSFp Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Zrrbzia\fotuyl.lzj",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@26/9@0/20
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10011B54 CreateToolhelp32Snapshot, 14_2_10011B54
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\cRC6TZG6Wx.dll,Control_RunDLL
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:2148:120:WilError_01
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\7ce3e80173264ea19b05306b865eadf9
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: cRC6TZG6Wx.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: cRC6TZG6Wx.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: cRC6TZG6Wx.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: cRC6TZG6Wx.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: cRC6TZG6Wx.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: cRC6TZG6Wx.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: cRC6TZG6Wx.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: cRC6TZG6Wx.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: cRC6TZG6Wx.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: cRC6TZG6Wx.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: cRC6TZG6Wx.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: cRC6TZG6Wx.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: cRC6TZG6Wx.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6EA2BAD4 push ebx; iretd 7_2_6EA2BADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6EA2C7C9 push esi; retf 7_2_6EA2C7D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6EA29C81 push eax; retf 7_2_6EA29C83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6EA3D066 push ecx; ret 7_2_6EA3D079
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6EA2CDEB push esp; ret 7_2_6EA2CDEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6EA25DD9 push eax; ret 7_2_6EA25DE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6EA2AD03 push esi; iretd 7_2_6EA2AD14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6EA2BAD4 push ebx; iretd 8_2_6EA2BADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6EA2C7C9 push esi; retf 8_2_6EA2C7D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6EA29C81 push eax; retf 8_2_6EA29C83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6EA3D066 push ecx; ret 8_2_6EA3D079
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6EA2CDEB push esp; ret 8_2_6EA2CDEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6EA25DD9 push eax; ret 8_2_6EA25DE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6EA2AD03 push esi; iretd 8_2_6EA2AD14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_10001229 push eax; retf 8_2_1000129A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_10001229 push eax; retf 10_2_1000129A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_10001229 push eax; retf 11_2_1000129A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10001229 push eax; retf 13_2_1000129A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10001229 push eax; retf 14_2_1000129A
PE file contains sections with non-standard names
Source: cRC6TZG6Wx.dll Static PE information: section name: .flat
PE file contains an invalid checksum
Source: cRC6TZG6Wx.dll Static PE information: real checksum: 0x748e8 should be: 0x6f913

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Zrrbzia\fotuyl.lzj Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Zrrbzia\fotuyl.lzj:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Gmkkytarncpdnvfs\shhwlgcq.qea:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\svchost.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6700 Thread sleep time: -90000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6EA4188A FindFirstFileExW, 7_2_6EA4188A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6EA4188A FindFirstFileExW, 8_2_6EA4188A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_10011A80 FindFirstFileW, 14_2_10011A80
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000017.00000002.451129288.000002032ECE9000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000017.00000002.451030529.000002032EC70000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW@

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6EA3CEA2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_6EA3CEA2
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6EA3C280 GetProcessHeap,HeapFree, 7_2_6EA3C280
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6EA414AE mov eax, dword ptr fs:[00000030h] 7_2_6EA414AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6EA3F416 mov eax, dword ptr fs:[00000030h] 7_2_6EA3F416
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6EA414AE mov eax, dword ptr fs:[00000030h] 8_2_6EA414AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6EA3F416 mov eax, dword ptr fs:[00000030h] 8_2_6EA3F416
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_1001DE10 mov eax, dword ptr fs:[00000030h] 8_2_1001DE10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_1001DE10 mov eax, dword ptr fs:[00000030h] 10_2_1001DE10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_1001DE10 mov eax, dword ptr fs:[00000030h] 11_2_1001DE10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001DE10 mov eax, dword ptr fs:[00000030h] 13_2_1001DE10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_1001DE10 mov eax, dword ptr fs:[00000030h] 14_2_1001DE10
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6EA3CEA2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_6EA3CEA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6EA3C66F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_6EA3C66F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6EA3FF39 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_6EA3FF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6EA3CEA2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_6EA3CEA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6EA3C66F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_6EA3C66F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6EA3FF39 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_6EA3FF39

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 196.44.98.190 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.79.33.48 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 168.197.250.14 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 51.178.61.60 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 177.72.80.14 168 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cRC6TZG6Wx.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\cRC6TZG6Wx.dll,Control_RunDLL Jump to behavior
Source: svchost.exe, 00000005.00000002.809298381.000001ED93D90000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.810365624.0000000003840000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: svchost.exe, 00000005.00000002.809298381.000001ED93D90000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.810365624.0000000003840000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: svchost.exe, 00000005.00000002.809298381.000001ED93D90000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.810365624.0000000003840000.00000002.00020000.sdmp Binary or memory string: Progman
Source: svchost.exe, 00000005.00000002.809298381.000001ED93D90000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.810365624.0000000003840000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6EA3D07B cpuid 7_2_6EA3D07B
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_6EA3CAD3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 7_2_6EA3CAD3

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000006.00000002.809106074.000002D36DB02000.00000004.00000001.sdmp Binary or memory string: Files%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000006.00000002.809013614.000002D36DA3D000.00000004.00000001.sdmp Binary or memory string: @V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000006.00000002.809106074.000002D36DB02000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 11.3.rundll32.exe.576c48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.576c48.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.d86b70.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.9c77f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.rundll32.exe.576c48.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.31d6b60.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.31d6b60.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.d86b70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.33a6b88.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.9c77f0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.576c48.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.rundll32.exe.33a6b88.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.33a6b88.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.rundll32.exe.33a6b88.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.rundll32.exe.33a6b88.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.rundll32.exe.9c77f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.rundll32.exe.33a6b88.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000003.360457905.0000000003396000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.290674131.0000000000576000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.289238760.0000000000D86000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.809828703.0000000003396000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.289903082.0000000000576000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.293376232.00000000009BF000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.296343256.00000000031D6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.289844390.0000000000576000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.289024016.00000000009C7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.413105360.0000000003396000.00000004.00000001.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs