Windows Analysis Report wUKXjICs5f

Overview

General Information

Sample Name: wUKXjICs5f (renamed file extension from none to dll)
Analysis ID: 528002
MD5: b65325cbe036c4e86a94428d8e7fab49
SHA1: 8788e13d2a0fad0a31f5a48613d2fcbd521d0d2e
SHA256: 3a8acc008eaad0a94e3b5fbd200028fa342773869b3f7f7edf772adbfb52d789
Tags: dll
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 7.3.rundll32.exe.2de6d08.1.raw.unpack Malware Configuration Extractor: Emotet {"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}
Multi AV Scanner detection for submitted file
Source: wUKXjICs5f.dll Virustotal: Detection: 18% Perma Link
Source: wUKXjICs5f.dll ReversingLabs: Detection: 18%
Machine Learning detection for sample
Source: wUKXjICs5f.dll Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 7.2.rundll32.exe.2de6d08.0.unpack Avira: Label: TR/ATRAPS.Gen

Compliance:

barindex
Uses 32bit PE files
Source: wUKXjICs5f.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: unknown HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.5:49759 version: TLS 1.2
Source: wUKXjICs5f.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EF6188A FindFirstFileExW, 2_2_6EF6188A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EF6188A FindFirstFileExW, 3_2_6EF6188A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10011A80 FindFirstFileW, 7_2_10011A80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.5:49759 -> 51.178.61.60:443
Source: Traffic Snort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.5:49760 -> 168.197.250.14:80
Source: Traffic Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.5:49761 -> 45.79.33.48:8080
Source: Traffic Snort IDS: 2404322 ET CNC Feodo Tracker Reported CnC Server TCP group 12 192.168.2.5:49764 -> 196.44.98.190:8080
Source: Traffic Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.5:49771 -> 177.72.80.14:7080
Source: Traffic Snort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 177.72.80.14:7080 -> 192.168.2.5:49771
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 196.44.98.190 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.79.33.48 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 168.197.250.14 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 51.178.61.60 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 177.72.80.14 168 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 51.178.61.60:443
Source: Malware configuration extractor IPs: 168.197.250.14:80
Source: Malware configuration extractor IPs: 45.79.33.48:8080
Source: Malware configuration extractor IPs: 196.44.98.190:8080
Source: Malware configuration extractor IPs: 177.72.80.14:7080
Source: Malware configuration extractor IPs: 51.210.242.234:8080
Source: Malware configuration extractor IPs: 185.148.169.10:8080
Source: Malware configuration extractor IPs: 142.4.219.173:8080
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 78.46.73.125:443
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 37.59.209.141:8080
Source: Malware configuration extractor IPs: 191.252.103.16:80
Source: Malware configuration extractor IPs: 54.38.242.185:443
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 54.37.228.122:443
Source: Malware configuration extractor IPs: 207.148.81.119:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 66.42.57.149:443
Source: Malware configuration extractor IPs: 195.154.146.35:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: EcobandGH EcobandGH
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /eUOoKZnMdMEYuzcUGINMwfTbKAcjacjvJSVpjTRzbVm HTTP/1.1Cookie: Be=/e+ryNwguw53nczD4xJbHFDdjL37F8QEcvMUykYv5sMEo8XxTD2o8cwSPVNEeJJpE5Syx1Bf/DX/hqpSxNKsMxn2Ni9QSPVu6f0TDMC2oBhbvl9FQyvGFwptqWxP7HZVr62liakOpnLCl0gkxE5DOypBURsXex0ZCya1qA6riCZpqL5WFAMXK8wxqLuKCzUpLtUplaztUYNZ7KjQKriVl6DmQ/frACwvbJ9i/s8W2Nu2YdRl4Y5Ww2i6C8qiArBbmkhOEpAZhvzdElhNOKLgZAdMSE8UILYNfp310IxZJVWTLsk=Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View IP Address: 196.44.98.190 196.44.98.190
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49761 -> 45.79.33.48:8080
Source: global traffic TCP traffic: 192.168.2.5:49764 -> 196.44.98.190:8080
Source: global traffic TCP traffic: 192.168.2.5:49771 -> 177.72.80.14:7080
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 24 Nov 2021 15:52:16 GMTContent-Type: text/htmlContent-Length: 162Connection: close
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown TCP traffic detected without corresponding DNS query: 45.79.33.48
Source: unknown TCP traffic detected without corresponding DNS query: 45.79.33.48
Source: unknown TCP traffic detected without corresponding DNS query: 45.79.33.48
Source: unknown TCP traffic detected without corresponding DNS query: 196.44.98.190
Source: unknown TCP traffic detected without corresponding DNS query: 196.44.98.190
Source: unknown TCP traffic detected without corresponding DNS query: 196.44.98.190
Source: unknown TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: svchost.exe, 0000001F.00000003.572538302.0000021E8BF90000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z||.||797d024d-8c74-4faa-b6a6-08435801478b||1152921505694213184||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000001F.00000003.572538302.0000021E8BF90000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z||.||797d024d-8c74-4faa-b6a6-08435801478b||1152921505694213184||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000001F.00000003.572538302.0000021E8BF90000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV"," equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001F.00000003.572538302.0000021E8BF90000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV"," equals www.twitter.com (Twitter)
Source: svchost.exe, 00000009.00000002.602601499.000001E83FE62000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.591117975.0000021E8B8E5000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.572181788.0000021E8B8E8000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000009.00000002.602509978.000001E83FE15000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: 77EC63BDA74BD0D0E0426DC8F80085060.7.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000007.00000003.379592807.0000000005214000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.506570983.0000000005214000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.378767649.0000000005212000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.773753317.0000000005214000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.380052172.0000000005214000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?448426eeae8f8
Source: svchost.exe, 0000001F.00000003.564391800.0000021E8BF91000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.564457255.0000021E8BFB2000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.564478110.0000021E8BF6F000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.564036829.0000021E8BF80000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.564023868.0000021E8BF6F000.00000004.00000001.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 0000000E.00000002.308634880.000001CD38C13000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000C.00000002.770897010.000002313B644000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000C.00000002.770897010.000002313B644000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000C.00000002.770897010.000002313B644000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000E.00000003.308102108.000001CD38C61000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000C.00000002.770776311.000002313B629000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000C.00000002.770776311.000002313B629000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000E.00000003.308147027.000001CD38C49000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000003.308147027.000001CD38C49000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.308707257.000001CD38C4B000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000E.00000003.308102108.000001CD38C61000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000E.00000002.308686000.000001CD38C3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000003.308147027.000001CD38C49000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.308707257.000001CD38C4B000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000E.00000003.308102108.000001CD38C61000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000003.308122559.000001CD38C4E000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.308729135.000001CD38C56000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.308250376.000001CD38C50000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000E.00000003.308147027.000001CD38C49000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.308707257.000001CD38C4B000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000E.00000003.308102108.000001CD38C61000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000E.00000002.308686000.000001CD38C3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000003.308102108.000001CD38C61000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000E.00000003.308102108.000001CD38C61000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000E.00000003.308102108.000001CD38C61000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000E.00000003.286363428.000001CD38C30000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000E.00000003.308182467.000001CD38C40000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.308694172.000001CD38C42000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.308223700.000001CD38C41000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000E.00000003.308182467.000001CD38C40000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.308694172.000001CD38C42000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.308223700.000001CD38C41000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000E.00000003.308102108.000001CD38C61000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000003.308182467.000001CD38C40000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.308147027.000001CD38C49000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.308707257.000001CD38C4B000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000001F.00000003.564391800.0000021E8BF91000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.564457255.0000021E8BFB2000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.564478110.0000021E8BF6F000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.564036829.0000021E8BF80000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.564023868.0000021E8BF6F000.00000004.00000001.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000E.00000003.308147027.000001CD38C49000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000003.308147027.000001CD38C49000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.308707257.000001CD38C4B000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000003.308147027.000001CD38C49000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.308707257.000001CD38C4B000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000E.00000002.308761304.000001CD38C65000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.308223700.000001CD38C41000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000E.00000003.308102108.000001CD38C61000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000E.00000003.286363428.000001CD38C30000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.308686000.000001CD38C3D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000003.286363428.000001CD38C30000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000E.00000002.308686000.000001CD38C3D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000E.00000002.308634880.000001CD38C13000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.308686000.000001CD38C3D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000003.286363428.000001CD38C30000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000003.308182467.000001CD38C40000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.308216969.000001CD38C45000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000E.00000003.286363428.000001CD38C30000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000E.00000002.308678800.000001CD38C39000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.286363428.000001CD38C30000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000E.00000003.308122559.000001CD38C4E000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.308729135.000001CD38C56000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.308250376.000001CD38C50000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 0000001F.00000003.564391800.0000021E8BF91000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.564457255.0000021E8BFB2000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.564478110.0000021E8BF6F000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.564036829.0000021E8BF80000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.564023868.0000021E8BF6F000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001F.00000003.564391800.0000021E8BF91000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.564457255.0000021E8BFB2000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.564478110.0000021E8BF6F000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.564036829.0000021E8BF80000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.564023868.0000021E8BF6F000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001F.00000003.566381591.0000021E8BF84000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.566395962.0000021E8BF95000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.566408108.0000021E8BFCD000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.566451706.0000021E8C402000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10021027 InternetReadFile, 7_2_10021027
Source: global traffic HTTP traffic detected: GET /eUOoKZnMdMEYuzcUGINMwfTbKAcjacjvJSVpjTRzbVm HTTP/1.1Cookie: Be=/e+ryNwguw53nczD4xJbHFDdjL37F8QEcvMUykYv5sMEo8XxTD2o8cwSPVNEeJJpE5Syx1Bf/DX/hqpSxNKsMxn2Ni9QSPVu6f0TDMC2oBhbvl9FQyvGFwptqWxP7HZVr62liakOpnLCl0gkxE5DOypBURsXex0ZCya1qA6riCZpqL5WFAMXK8wxqLuKCzUpLtUplaztUYNZ7KjQKriVl6DmQ/frACwvbJ9i/s8W2Nu2YdRl4Y5Ww2i6C8qiArBbmkhOEpAZhvzdElhNOKLgZAdMSE8UILYNfp310IxZJVWTLsk=Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.5:49759 version: TLS 1.2

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 3.2.rundll32.exe.2886c78.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.32a6ba0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.rundll32.exe.2de6d08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.32a6ba0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.26b6bc0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2806c60.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2806c60.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.32a6ba0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.32a6ba0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.32a6ba0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2886c78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.26b6bc0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.32a6ba0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.rundll32.exe.2de6d08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2de6d08.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.rundll32.exe.2de6d08.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.26b6bc0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2de6d08.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.772022098.0000000002DD4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.250860645.00000000032A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.276395554.0000000002DD4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.252359098.00000000032A6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.251084633.00000000032A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.506501770.0000000002DD4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.256705273.0000000002806000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.254361044.000000000267A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.250320926.00000000026B6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.327953238.0000000002DD4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.251529098.0000000002886000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: wUKXjICs5f.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Fuigi\opvkeqtc.jnf:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Fuigi\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EF5B2B0 2_2_6EF5B2B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EF5BB30 2_2_6EF5BB30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EF59F20 2_2_6EF59F20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EF5B080 2_2_6EF5B080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EF66564 2_2_6EF66564
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EF5BB30 3_2_6EF5BB30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EF5B2B0 3_2_6EF5B2B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EF59F20 3_2_6EF59F20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EF5B080 3_2_6EF5B080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EF66564 3_2_6EF66564
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000441E 3_2_1000441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001CAA8 3_2_1001CAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100143B3 3_2_100143B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10004C00 3_2_10004C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10008C09 3_2_10008C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10011C10 3_2_10011C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000F41F 3_2_1000F41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000EC27 3_2_1000EC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001F83F 3_2_1001F83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001E441 3_2_1001E441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10002043 3_2_10002043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10003845 3_2_10003845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000A048 3_2_1000A048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001406E 3_2_1001406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10001C76 3_2_10001C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001748A 3_2_1001748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000CC8D 3_2_1000CC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001D091 3_2_1001D091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10003C91 3_2_10003C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000AC95 3_2_1000AC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001AC9B 3_2_1001AC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100178A5 3_2_100178A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100144AA 3_2_100144AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100190BA 3_2_100190BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100198BD 3_2_100198BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100208D1 3_2_100208D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001CCD4 3_2_1001CCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001ECE3 3_2_1001ECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001A8F0 3_2_1001A8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100030F6 3_2_100030F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10003502 3_2_10003502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001FD10 3_2_1001FD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000251C 3_2_1000251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10005923 3_2_10005923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002292B 3_2_1002292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001F14D 3_2_1001F14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000C158 3_2_1000C158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001056A 3_2_1001056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10014D8D 3_2_10014D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000758F 3_2_1000758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000FD91 3_2_1000FD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10021193 3_2_10021193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001D99A 3_2_1001D99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10019DA1 3_2_10019DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001B1B5 3_2_1001B1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100225C3 3_2_100225C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100055E8 3_2_100055E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000C5FE 3_2_1000C5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10001A0A 3_2_10001A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000220A 3_2_1000220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000E21C 3_2_1000E21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10015220 3_2_10015220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10009E22 3_2_10009E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000D223 3_2_1000D223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10021A3C 3_2_10021A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10002A46 3_2_10002A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10002654 3_2_10002654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10009A57 3_2_10009A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10007283 3_2_10007283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10020687 3_2_10020687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10014E8A 3_2_10014E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000FEA0 3_2_1000FEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001D6A7 3_2_1001D6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000DAAE 3_2_1000DAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10005AB2 3_2_10005AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001BEC9 3_2_1001BEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10017ED1 3_2_10017ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10010ADE 3_2_10010ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001AEEB 3_2_1001AEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001DEF4 3_2_1001DEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10002309 3_2_10002309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10006B25 3_2_10006B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10020B34 3_2_10020B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10021343 3_2_10021343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10003345 3_2_10003345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10003F5C 3_2_10003F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10011F6B 3_2_10011F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001577E 3_2_1001577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10009384 3_2_10009384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10004F8E 3_2_10004F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001B397 3_2_1001B397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10012FA2 3_2_10012FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10014BAA 3_2_10014BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10017BB2 3_2_10017BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000BFB6 3_2_1000BFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10006FC4 3_2_10006FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000A3DF 3_2_1000A3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001BFE8 3_2_1001BFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100203F1 3_2_100203F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10004C00 4_2_10004C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1000441E 4_2_1000441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1000F41F 4_2_1000F41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10002043 4_2_10002043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10003845 4_2_10003845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10002A46 4_2_10002A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001CAA8 4_2_1001CAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100190BA 4_2_100190BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100208D1 4_2_100208D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001ECE3 4_2_1001ECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001AEEB 4_2_1001AEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001DEF4 4_2_1001DEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001056A 4_2_1001056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10009384 4_2_10009384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001D99A 4_2_1001D99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10017BB2 4_2_10017BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10008C09 4_2_10008C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10001A0A 4_2_10001A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1000220A 4_2_1000220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10011C10 4_2_10011C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1000E21C 4_2_1000E21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10015220 4_2_10015220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10009E22 4_2_10009E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1000D223 4_2_1000D223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1000EC27 4_2_1000EC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001F83F 4_2_1001F83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10021A3C 4_2_10021A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001E441 4_2_1001E441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1000A048 4_2_1000A048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10002654 4_2_10002654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10009A57 4_2_10009A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001406E 4_2_1001406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10001C76 4_2_10001C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10007283 4_2_10007283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10020687 4_2_10020687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10014E8A 4_2_10014E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001748A 4_2_1001748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1000CC8D 4_2_1000CC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001D091 4_2_1001D091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10003C91 4_2_10003C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1000AC95 4_2_1000AC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001AC9B 4_2_1001AC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1000FEA0 4_2_1000FEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100178A5 4_2_100178A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001D6A7 4_2_1001D6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100144AA 4_2_100144AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1000DAAE 4_2_1000DAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10005AB2 4_2_10005AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100198BD 4_2_100198BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001BEC9 4_2_1001BEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10017ED1 4_2_10017ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001CCD4 4_2_1001CCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10010ADE 4_2_10010ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001A8F0 4_2_1001A8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100030F6 4_2_100030F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10003502 4_2_10003502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10002309 4_2_10002309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001FD10 4_2_1001FD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1000251C 4_2_1000251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10005923 4_2_10005923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10006B25 4_2_10006B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1002292B 4_2_1002292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10020B34 4_2_10020B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10021343 4_2_10021343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10003345 4_2_10003345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001F14D 4_2_1001F14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1000C158 4_2_1000C158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10003F5C 4_2_10003F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10011F6B 4_2_10011F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001577E 4_2_1001577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10014D8D 4_2_10014D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10004F8E 4_2_10004F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1000758F 4_2_1000758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1000FD91 4_2_1000FD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10021193 4_2_10021193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001B397 4_2_1001B397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10019DA1 4_2_10019DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10012FA2 4_2_10012FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10014BAA 4_2_10014BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100143B3 4_2_100143B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001B1B5 4_2_1001B1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1000BFB6 4_2_1000BFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100225C3 4_2_100225C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10006FC4 4_2_10006FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1000A3DF 4_2_1000A3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100055E8 4_2_100055E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001BFE8 4_2_1001BFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100203F1 4_2_100203F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1000C5FE 4_2_1000C5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10004C00 5_2_10004C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1000441E 5_2_1000441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10003845 5_2_10003845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10002A46 5_2_10002A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_100208D1 5_2_100208D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1001ECE3 5_2_1001ECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1001AEEB 5_2_1001AEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1001DEF4 5_2_1001DEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10009384 5_2_10009384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1001D99A 5_2_1001D99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10017BB2 5_2_10017BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10008C09 5_2_10008C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10001A0A 5_2_10001A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1000220A 5_2_1000220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10011C10 5_2_10011C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1000E21C 5_2_1000E21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1000F41F 5_2_1000F41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10015220 5_2_10015220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10009E22 5_2_10009E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1000D223 5_2_1000D223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1000EC27 5_2_1000EC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1001F83F 5_2_1001F83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10021A3C 5_2_10021A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1001E441 5_2_1001E441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10002043 5_2_10002043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1000A048 5_2_1000A048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10002654 5_2_10002654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10009A57 5_2_10009A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1001406E 5_2_1001406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10001C76 5_2_10001C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10007283 5_2_10007283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10020687 5_2_10020687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10014E8A 5_2_10014E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1001748A 5_2_1001748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1000CC8D 5_2_1000CC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1001D091 5_2_1001D091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10003C91 5_2_10003C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1000AC95 5_2_1000AC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1001AC9B 5_2_1001AC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1000FEA0 5_2_1000FEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_100178A5 5_2_100178A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1001D6A7 5_2_1001D6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1001CAA8 5_2_1001CAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_100144AA 5_2_100144AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1000DAAE 5_2_1000DAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10005AB2 5_2_10005AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_100190BA 5_2_100190BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_100198BD 5_2_100198BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1001BEC9 5_2_1001BEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10017ED1 5_2_10017ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1001CCD4 5_2_1001CCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10010ADE 5_2_10010ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1001A8F0 5_2_1001A8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_100030F6 5_2_100030F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10003502 5_2_10003502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10002309 5_2_10002309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1001FD10 5_2_1001FD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1000251C 5_2_1000251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10005923 5_2_10005923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10006B25 5_2_10006B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1002292B 5_2_1002292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10020B34 5_2_10020B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10021343 5_2_10021343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10003345 5_2_10003345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1001F14D 5_2_1001F14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1000C158 5_2_1000C158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10003F5C 5_2_10003F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10011F6B 5_2_10011F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1001056A 5_2_1001056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1001577E 5_2_1001577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10014D8D 5_2_10014D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10004F8E 5_2_10004F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1000758F 5_2_1000758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1000FD91 5_2_1000FD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10021193 5_2_10021193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1001B397 5_2_1001B397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10019DA1 5_2_10019DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10012FA2 5_2_10012FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10014BAA 5_2_10014BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_100143B3 5_2_100143B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1001B1B5 5_2_1001B1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1000BFB6 5_2_1000BFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_100225C3 5_2_100225C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10006FC4 5_2_10006FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1000A3DF 5_2_1000A3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_100055E8 5_2_100055E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1001BFE8 5_2_1001BFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_100203F1 5_2_100203F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1000C5FE 5_2_1000C5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000441E 6_2_1000441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001CAA8 6_2_1001CAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100143B3 6_2_100143B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10004C00 6_2_10004C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10008C09 6_2_10008C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10001A0A 6_2_10001A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000220A 6_2_1000220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10011C10 6_2_10011C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000E21C 6_2_1000E21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000F41F 6_2_1000F41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10015220 6_2_10015220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10009E22 6_2_10009E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000D223 6_2_1000D223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000EC27 6_2_1000EC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001F83F 6_2_1001F83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10021A3C 6_2_10021A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001E441 6_2_1001E441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10002043 6_2_10002043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10003845 6_2_10003845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10002A46 6_2_10002A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000A048 6_2_1000A048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10002654 6_2_10002654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10009A57 6_2_10009A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001406E 6_2_1001406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10001C76 6_2_10001C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10007283 6_2_10007283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10020687 6_2_10020687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10014E8A 6_2_10014E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001748A 6_2_1001748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000CC8D 6_2_1000CC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001D091 6_2_1001D091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10003C91 6_2_10003C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000AC95 6_2_1000AC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001AC9B 6_2_1001AC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000FEA0 6_2_1000FEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100178A5 6_2_100178A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001D6A7 6_2_1001D6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100144AA 6_2_100144AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000DAAE 6_2_1000DAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10005AB2 6_2_10005AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100190BA 6_2_100190BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100198BD 6_2_100198BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001BEC9 6_2_1001BEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10017ED1 6_2_10017ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100208D1 6_2_100208D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001CCD4 6_2_1001CCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10010ADE 6_2_10010ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001ECE3 6_2_1001ECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001AEEB 6_2_1001AEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001A8F0 6_2_1001A8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001DEF4 6_2_1001DEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100030F6 6_2_100030F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10003502 6_2_10003502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10002309 6_2_10002309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001FD10 6_2_1001FD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000251C 6_2_1000251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10005923 6_2_10005923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10006B25 6_2_10006B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1002292B 6_2_1002292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10020B34 6_2_10020B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10021343 6_2_10021343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10003345 6_2_10003345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001F14D 6_2_1001F14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000C158 6_2_1000C158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10003F5C 6_2_10003F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10011F6B 6_2_10011F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001056A 6_2_1001056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001577E 6_2_1001577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10009384 6_2_10009384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10014D8D 6_2_10014D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10004F8E 6_2_10004F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000758F 6_2_1000758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000FD91 6_2_1000FD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10021193 6_2_10021193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001B397 6_2_1001B397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001D99A 6_2_1001D99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10019DA1 6_2_10019DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10012FA2 6_2_10012FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10014BAA 6_2_10014BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10017BB2 6_2_10017BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001B1B5 6_2_1001B1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000BFB6 6_2_1000BFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100225C3 6_2_100225C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10006FC4 6_2_10006FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000A3DF 6_2_1000A3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100055E8 6_2_100055E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001BFE8 6_2_1001BFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100203F1 6_2_100203F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000C5FE 6_2_1000C5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000220A 7_2_1000220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000441E 7_2_1000441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10015220 7_2_10015220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000EC27 7_2_1000EC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001F83F 7_2_1001F83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10002043 7_2_10002043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10003845 7_2_10003845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001748A 7_2_1001748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000AC95 7_2_1000AC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100178A5 7_2_100178A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100144AA 7_2_100144AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10005AB2 7_2_10005AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10017ED1 7_2_10017ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100208D1 7_2_100208D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001ECE3 7_2_1001ECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001DEF4 7_2_1001DEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100030F6 7_2_100030F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10020B34 7_2_10020B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10009384 7_2_10009384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000758F 7_2_1000758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10012FA2 7_2_10012FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10014BAA 7_2_10014BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000BFB6 7_2_1000BFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10006FC4 7_2_10006FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100055E8 7_2_100055E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100203F1 7_2_100203F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000C5FE 7_2_1000C5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10004C00 7_2_10004C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10008C09 7_2_10008C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10001A0A 7_2_10001A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10011C10 7_2_10011C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000E21C 7_2_1000E21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000F41F 7_2_1000F41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10009E22 7_2_10009E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000D223 7_2_1000D223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10021A3C 7_2_10021A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001E441 7_2_1001E441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10002A46 7_2_10002A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000A048 7_2_1000A048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10002654 7_2_10002654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10009A57 7_2_10009A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001406E 7_2_1001406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10001C76 7_2_10001C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10007283 7_2_10007283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10020687 7_2_10020687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10014E8A 7_2_10014E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000CC8D 7_2_1000CC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001D091 7_2_1001D091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10003C91 7_2_10003C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001AC9B 7_2_1001AC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000FEA0 7_2_1000FEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001D6A7 7_2_1001D6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001CAA8 7_2_1001CAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000DAAE 7_2_1000DAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100190BA 7_2_100190BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100198BD 7_2_100198BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001BEC9 7_2_1001BEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001CCD4 7_2_1001CCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10010ADE 7_2_10010ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001AEEB 7_2_1001AEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001A8F0 7_2_1001A8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10003502 7_2_10003502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10002309 7_2_10002309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001FD10 7_2_1001FD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000251C 7_2_1000251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10005923 7_2_10005923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10006B25 7_2_10006B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1002292B 7_2_1002292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10021343 7_2_10021343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10003345 7_2_10003345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001F14D 7_2_1001F14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000C158 7_2_1000C158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10003F5C 7_2_10003F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10011F6B 7_2_10011F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001056A 7_2_1001056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001577E 7_2_1001577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10014D8D 7_2_10014D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10004F8E 7_2_10004F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000FD91 7_2_1000FD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10021193 7_2_10021193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001B397 7_2_1001B397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001D99A 7_2_1001D99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10019DA1 7_2_10019DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100143B3 7_2_100143B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10017BB2 7_2_10017BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001B1B5 7_2_1001B1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100225C3 7_2_100225C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000A3DF 7_2_1000A3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001BFE8 7_2_1001BFE8
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6EF5D020 appears 48 times
PE file contains strange resources
Source: wUKXjICs5f.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wUKXjICs5f.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: wUKXjICs5f.dll Virustotal: Detection: 18%
Source: wUKXjICs5f.dll ReversingLabs: Detection: 18%
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\wUKXjICs5f.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wUKXjICs5f.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wUKXjICs5f.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wUKXjICs5f.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wUKXjICs5f.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wUKXjICs5f.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Fuigi\opvkeqtc.jnf",CjHxo
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Fuigi\opvkeqtc.jnf",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wUKXjICs5f.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wUKXjICs5f.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wUKXjICs5f.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wUKXjICs5f.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wUKXjICs5f.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Fuigi\opvkeqtc.jnf",CjHxo Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Fuigi\opvkeqtc.jnf",Control_RunDLL Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@29/9@0/21
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10011B54 CreateToolhelp32Snapshot, 7_2_10011B54
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wUKXjICs5f.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\7ce3e80173264ea19b05306b865eadf9
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6740:120:WilError_01
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: wUKXjICs5f.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: wUKXjICs5f.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: wUKXjICs5f.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: wUKXjICs5f.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: wUKXjICs5f.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: wUKXjICs5f.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: wUKXjICs5f.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: wUKXjICs5f.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: wUKXjICs5f.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: wUKXjICs5f.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: wUKXjICs5f.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: wUKXjICs5f.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: wUKXjICs5f.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EF4BAD4 push ebx; iretd 2_2_6EF4BADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EF4C7C9 push esi; retf 2_2_6EF4C7D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EF49C81 push eax; retf 2_2_6EF49C83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EF5D066 push ecx; ret 2_2_6EF5D079
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EF4CDEB push esp; ret 2_2_6EF4CDEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EF45DD9 push eax; ret 2_2_6EF45DE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EF4AD03 push esi; iretd 2_2_6EF4AD14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EF4BAD4 push ebx; iretd 3_2_6EF4BADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EF4C7C9 push esi; retf 3_2_6EF4C7D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EF49C81 push eax; retf 3_2_6EF49C83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EF5D066 push ecx; ret 3_2_6EF5D079
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EF4CDEB push esp; ret 3_2_6EF4CDEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EF45DD9 push eax; ret 3_2_6EF45DE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EF4AD03 push esi; iretd 3_2_6EF4AD14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10001229 push eax; retf 3_2_1000129A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10001229 push eax; retf 4_2_1000129A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_10001229 push eax; retf 5_2_1000129A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10001229 push eax; retf 6_2_1000129A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10001229 push eax; retf 7_2_1000129A
PE file contains sections with non-standard names
Source: wUKXjICs5f.dll Static PE information: section name: .flat
PE file contains an invalid checksum
Source: wUKXjICs5f.dll Static PE information: real checksum: 0x748e8 should be: 0x6e85f

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Fuigi\opvkeqtc.jnf Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Fuigi\opvkeqtc.jnf:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Nscdc\kokhvtkmoofti.djn:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\rundll32.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6624 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6768 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5052 Thread sleep time: -210000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EF6188A FindFirstFileExW, 2_2_6EF6188A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EF6188A FindFirstFileExW, 3_2_6EF6188A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10011A80 FindFirstFileW, 7_2_10011A80
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 0000001F.00000002.590962547.0000021E8B870000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW@@
Source: svchost.exe, 00000009.00000002.602208449.000001E83A62A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW@a
Source: svchost.exe, 00000009.00000002.602601499.000001E83FE62000.00000004.00000001.sdmp Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000009.00000002.602578209.000001E83FE4A000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.591117975.0000021E8B8E5000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000001F.00000002.591139133.0000021E8B8F4000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW}
Source: svchost.exe, 0000000C.00000002.771136140.000002313B666000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.770654030.00000225AD629000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EF5CEA2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6EF5CEA2
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EF5C280 GetProcessHeap,HeapFree, 2_2_6EF5C280
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EF614AE mov eax, dword ptr fs:[00000030h] 2_2_6EF614AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EF5F416 mov eax, dword ptr fs:[00000030h] 2_2_6EF5F416
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EF614AE mov eax, dword ptr fs:[00000030h] 3_2_6EF614AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EF5F416 mov eax, dword ptr fs:[00000030h] 3_2_6EF5F416
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001DE10 mov eax, dword ptr fs:[00000030h] 3_2_1001DE10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1001DE10 mov eax, dword ptr fs:[00000030h] 4_2_1001DE10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_1001DE10 mov eax, dword ptr fs:[00000030h] 5_2_1001DE10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001DE10 mov eax, dword ptr fs:[00000030h] 6_2_1001DE10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001DE10 mov eax, dword ptr fs:[00000030h] 7_2_1001DE10
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EF5CEA2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6EF5CEA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EF5C66F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_6EF5C66F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EF5FF39 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6EF5FF39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EF5CEA2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6EF5CEA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EF5C66F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6EF5C66F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EF5FF39 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6EF5FF39

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 196.44.98.190 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.79.33.48 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 168.197.250.14 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 51.178.61.60 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 177.72.80.14 168 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wUKXjICs5f.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wUKXjICs5f.dll,Control_RunDLL Jump to behavior
Source: rundll32.exe, 00000007.00000002.772821571.0000000003340000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000007.00000002.772821571.0000000003340000.00000002.00020000.sdmp Binary or memory string: Progman
Source: rundll32.exe, 00000007.00000002.772821571.0000000003340000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: rundll32.exe, 00000007.00000002.772821571.0000000003340000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: rundll32.exe, 00000007.00000002.772821571.0000000003340000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EF5D07B cpuid 2_2_6EF5D07B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6EF5CAD3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 2_2_6EF5CAD3

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000011.00000002.770684595.00000157EE240000.00000004.00000001.sdmp Binary or memory string: ,@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000011.00000002.770853003.00000157EE302000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 3.2.rundll32.exe.2886c78.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.32a6ba0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.rundll32.exe.2de6d08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.32a6ba0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.26b6bc0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2806c60.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2806c60.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.32a6ba0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.32a6ba0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.32a6ba0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2886c78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.26b6bc0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.32a6ba0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.rundll32.exe.2de6d08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2de6d08.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.rundll32.exe.2de6d08.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.26b6bc0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2de6d08.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.772022098.0000000002DD4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.250860645.00000000032A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.276395554.0000000002DD4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.252359098.00000000032A6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.251084633.00000000032A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.506501770.0000000002DD4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.256705273.0000000002806000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.254361044.000000000267A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.250320926.00000000026B6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.327953238.0000000002DD4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.251529098.0000000002886000.00000004.00000001.sdmp, type: MEMORY