Windows Analysis Report EzCOXP6oxy

Overview

General Information

Sample Name: EzCOXP6oxy (renamed file extension from none to dll)
Analysis ID: 528695
MD5: 0c32d4334246cc061e80fc9cf0780a58
SHA1: eec70a7ff5e0ed8adb1bba38021dc2fdf0b1081d
SHA256: c4e9dbb3e3b37e36574a8d963f3ba83d61beceedfb640e9592b0a416396ca46e
Tags: 32dllexetrojan
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Potential key logger detected (key state polling based)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 7.2.rundll32.exe.4e00000.6.raw.unpack Malware Configuration Extractor: Emotet {"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}
Multi AV Scanner detection for submitted file
Source: EzCOXP6oxy.dll Virustotal: Detection: 24% Perma Link
Machine Learning detection for sample
Source: EzCOXP6oxy.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: EzCOXP6oxy.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: unknown HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.3:49753 version: TLS 1.2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100331CA __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 7_2_100331CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B01A80 FindFirstFileW, 12_2_04B01A80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.3:49753 -> 51.178.61.60:443
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 51.178.61.60 187 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 51.178.61.60:443
Source: Malware configuration extractor IPs: 168.197.250.14:80
Source: Malware configuration extractor IPs: 45.79.33.48:8080
Source: Malware configuration extractor IPs: 196.44.98.190:8080
Source: Malware configuration extractor IPs: 177.72.80.14:7080
Source: Malware configuration extractor IPs: 51.210.242.234:8080
Source: Malware configuration extractor IPs: 185.148.169.10:8080
Source: Malware configuration extractor IPs: 142.4.219.173:8080
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 78.46.73.125:443
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 37.59.209.141:8080
Source: Malware configuration extractor IPs: 191.252.103.16:80
Source: Malware configuration extractor IPs: 54.38.242.185:443
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 54.37.228.122:443
Source: Malware configuration extractor IPs: 207.148.81.119:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 66.42.57.149:443
Source: Malware configuration extractor IPs: 195.154.146.35:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: EcobandGH EcobandGH
Source: Joe Sandbox View ASN Name: HETZNER-ASDE HETZNER-ASDE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /icsZGkxVGlJGXERpNMAkbBhZsRBvNu HTTP/1.1Cookie: VzjNaqMqfocdBX=JqOFPJj7PozLdKiIb0Q3hTC9S0ITJTlgaaPM+YcmQ+fGgQl2sU3kSVveu+UxKl7l5E+Vn1v6pOOBNhr6RStkjXoxolELe8X2rLolboD84KIbkDlniHtSL4LHWkLSPni84AFgz3zocxEbBvWcJ4AIekqVpd4PNQbkLSdE6RHCposw2iNPMgXzABlR4bdx4TfSbUboMCHHuhHdRCg++6AooUBOAMfdms1jbZdvw1sJsdZ86jaS+IXQjmI/Fz4GX2r0Zs0TBoVdanVa0yqwHost: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View IP Address: 196.44.98.190 196.44.98.190
Source: Joe Sandbox View IP Address: 78.46.73.125 78.46.73.125
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: svchost.exe, 00000012.00000003.392893440.0000029BE8565000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 00000012.00000003.392893440.0000029BE8565000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 00000012.00000003.392893440.0000029BE8565000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.392951757.0000029BE85A4000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z||.||797d024d-8c74-4faa-b6a6-08435801478b||1152921505694213184||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000012.00000003.392893440.0000029BE8565000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.392951757.0000029BE85A4000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z||.||797d024d-8c74-4faa-b6a6-08435801478b||1152921505694213184||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: rundll32.exe, rundll32.exe, 00000007.00000002.293578987.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.289963723.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.293837544.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.811051934.0000000010056000.00000002.00020000.sdmp, EzCOXP6oxy.dll String found in binary or memory: http://www.yahoo.com equals www.yahoo.com (Yahoo)
Source: svchost.exe, 00000012.00000002.409866458.0000029BE8500000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000012.00000002.409866458.0000029BE8500000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000012.00000003.388561812.0000029BE8573000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.388685824.0000029BE8A02000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.388655543.0000029BE8594000.00000004.00000001.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000000.00000002.305931434.00000281D9613000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: rundll32.exe, rundll32.exe, 00000007.00000002.293578987.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.289963723.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.293837544.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.811051934.0000000010056000.00000002.00020000.sdmp, EzCOXP6oxy.dll String found in binary or memory: http://www.yahoo.com
Source: svchost.exe, 00000000.00000003.305609223.00000281D9661000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000000.00000003.305624709.00000281D965A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000003.305624709.00000281D965A000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305997290.00000281D965C000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000000.00000003.305609223.00000281D9661000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000000.00000002.305968261.00000281D963D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000000.00000003.305624709.00000281D965A000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305997290.00000281D965C000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000000.00000003.305609223.00000281D9661000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000000.00000003.305584881.00000281D9649000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305988649.00000281D964E000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000000.00000003.305624709.00000281D965A000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305997290.00000281D965C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000000.00000003.305609223.00000281D9661000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000000.00000002.305968261.00000281D963D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000000.00000003.305609223.00000281D9661000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000000.00000003.305609223.00000281D9661000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000000.00000003.305609223.00000281D9661000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000000.00000003.283916723.00000281D9631000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000000.00000003.305660884.00000281D9641000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305642246.00000281D9640000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305976318.00000281D9642000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000000.00000003.305660884.00000281D9641000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305642246.00000281D9640000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305976318.00000281D9642000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000000.00000003.305609223.00000281D9661000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000000.00000003.305624709.00000281D965A000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305642246.00000281D9640000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305997290.00000281D965C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000000.00000003.283916723.00000281D9631000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
Source: svchost.exe, 00000012.00000003.388561812.0000029BE8573000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.388685824.0000029BE8A02000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.388655543.0000029BE8594000.00000004.00000001.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000000.00000003.305624709.00000281D965A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000000.00000002.305997290.00000281D965C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000000.00000003.305624709.00000281D965A000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305997290.00000281D965C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000000.00000003.305655167.00000281D9645000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000000.00000003.305609223.00000281D9661000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000000.00000002.305968261.00000281D963D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000003.283916723.00000281D9631000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000000.00000002.305968261.00000281D963D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000000.00000002.305931434.00000281D9613000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305968261.00000281D963D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000000.00000003.283916723.00000281D9631000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000000.00000003.305642246.00000281D9640000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305655167.00000281D9645000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000000.00000003.283916723.00000281D9631000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000000.00000003.283916723.00000281D9631000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305960947.00000281D963A000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000000.00000003.305584881.00000281D9649000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305988649.00000281D964E000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 00000012.00000003.388561812.0000029BE8573000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.388685824.0000029BE8A02000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.388655543.0000029BE8594000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000012.00000003.388561812.0000029BE8573000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.388685824.0000029BE8A02000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.388655543.0000029BE8594000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000012.00000003.389642570.0000029BE85C8000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.389696294.0000029BE85B1000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.389711075.0000029BE8A02000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.389687376.0000029BE8590000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.389671797.0000029BE85C8000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B11027 InternetReadFile, 12_2_04B11027
Source: global traffic HTTP traffic detected: GET /icsZGkxVGlJGXERpNMAkbBhZsRBvNu HTTP/1.1Cookie: VzjNaqMqfocdBX=JqOFPJj7PozLdKiIb0Q3hTC9S0ITJTlgaaPM+YcmQ+fGgQl2sU3kSVveu+UxKl7l5E+Vn1v6pOOBNhr6RStkjXoxolELe8X2rLolboD84KIbkDlniHtSL4LHWkLSPni84AFgz3zocxEbBvWcJ4AIekqVpd4PNQbkLSdE6RHCposw2iNPMgXzABlR4bdx4TfSbUboMCHHuhHdRCg++6AooUBOAMfdms1jbZdvw1sJsdZ86jaS+IXQjmI/Fz4GX2r0Zs0TBoVdanVa0yqwHost: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.3:49753 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10023471 SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA, 7_2_10023471
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10013EC9 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow, 7_2_10013EC9

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 12.2.rundll32.exe.56b0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.5440000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.ba0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4ba0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4e00000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.4ac0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.5590000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.cb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.5100000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.56b0000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.5100000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4e00000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.cb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4ab0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4c20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.4ac0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.ec0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4e60000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.54a0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4ba0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.51e0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4ab0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4fc0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.54a0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.5590000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.5440000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4e60000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4fc0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4c20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.ec0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.57c0000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.51e0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.57c0000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.289870644.0000000004C20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.810681340.0000000005590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.810823822.00000000056B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.807533185.0000000000EC0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.293225547.0000000004E00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.810439352.0000000005440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.293389274.0000000004FC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.293071133.0000000004BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.810235719.00000000051E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.810948594.00000000057C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.291762953.0000000000CB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.293302673.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.809655568.0000000004AC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.810054913.0000000005100000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.292938916.0000000004AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.293307621.0000000004E60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.810559507.00000000054A0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: EzCOXP6oxy.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Nqaukzzzqxw\injbvoyze.mwd:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Nqaukzzzqxw\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10046A46 7_2_10046A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10010E3B 7_2_10010E3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1003FFA2 7_2_1003FFA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0455F41F 7_2_0455F41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0455441E 7_2_0455441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0456056A 7_2_0456056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04552043 7_2_04552043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045690BA 7_2_045690BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04559384 7_2_04559384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04554C00 7_2_04554C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0456ECE3 7_2_0456ECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0456DEF4 7_2_0456DEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0456AEEB 7_2_0456AEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04553845 7_2_04553845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045708D1 7_2_045708D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0456D99A 7_2_0456D99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04552A46 7_2_04552A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0456CAA8 7_2_0456CAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04567BB2 7_2_04567BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0456E441 7_2_0456E441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0456748A 7_2_0456748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045644AA 7_2_045644AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0455251C 7_2_0455251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04553502 7_2_04553502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045725C3 7_2_045725C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0455C5FE 7_2_0455C5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045555E8 7_2_045555E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0455758F 7_2_0455758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04552654 7_2_04552654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04570687 7_2_04570687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0456D6A7 7_2_0456D6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0456577E 7_2_0456577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0455A048 7_2_0455A048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0456406E 7_2_0456406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045530F6 7_2_045530F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0456D091 7_2_0456D091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0455C158 7_2_0455C158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0456F14D 7_2_0456F14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04571193 7_2_04571193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0456B1B5 7_2_0456B1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0455E21C 7_2_0455E21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0455220A 7_2_0455220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04565220 7_2_04565220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0455D223 7_2_0455D223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04557283 7_2_04557283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04553345 7_2_04553345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04571343 7_2_04571343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04552309 7_2_04552309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0455A3DF 7_2_0455A3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045703F1 7_2_045703F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0456B397 7_2_0456B397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045643B3 7_2_045643B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04551C76 7_2_04551C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04561C10 7_2_04561C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04558C09 7_2_04558C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0455EC27 7_2_0455EC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0456CCD4 7_2_0456CCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0455AC95 7_2_0455AC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04553C91 7_2_04553C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0456AC9B 7_2_0456AC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0455CC8D 7_2_0455CC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0456FD10 7_2_0456FD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0455FD91 7_2_0455FD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04564D8D 7_2_04564D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04569DA1 7_2_04569DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04559E22 7_2_04559E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04567ED1 7_2_04567ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0456BEC9 7_2_0456BEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04564E8A 7_2_04564E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0455FEA0 7_2_0455FEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04553F5C 7_2_04553F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04561F6B 7_2_04561F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04556FC4 7_2_04556FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0456BFE8 7_2_0456BFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04554F8E 7_2_04554F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0455BFB6 7_2_0455BFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04562FA2 7_2_04562FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0456F83F 7_2_0456F83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0456A8F0 7_2_0456A8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045698BD 7_2_045698BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_045678A5 7_2_045678A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04555923 7_2_04555923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0457292B 7_2_0457292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04559A57 7_2_04559A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04551A0A 7_2_04551A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04571A3C 7_2_04571A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04560ADE 7_2_04560ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04555AB2 7_2_04555AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0455DAAE 7_2_0455DAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04570B34 7_2_04570B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04556B25 7_2_04556B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04564BAA 7_2_04564BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C6CAA8 8_2_04C6CAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C5441E 8_2_04C5441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C643B3 8_2_04C643B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C6BEC9 8_2_04C6BEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C6CCD4 8_2_04C6CCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C708D1 8_2_04C708D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C67ED1 8_2_04C67ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C60ADE 8_2_04C60ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C6ECE3 8_2_04C6ECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C6AEEB 8_2_04C6AEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C6DEF4 8_2_04C6DEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C530F6 8_2_04C530F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C70687 8_2_04C70687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C57283 8_2_04C57283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C5CC8D 8_2_04C5CC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C64E8A 8_2_04C64E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C6748A 8_2_04C6748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C5AC95 8_2_04C5AC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C53C91 8_2_04C53C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C6D091 8_2_04C6D091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C6AC9B 8_2_04C6AC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C6D6A7 8_2_04C6D6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C678A5 8_2_04C678A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C5FEA0 8_2_04C5FEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C644AA 8_2_04C644AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C55AB2 8_2_04C55AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C698BD 8_2_04C698BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C690BA 8_2_04C690BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C53845 8_2_04C53845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C52A46 8_2_04C52A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C52043 8_2_04C52043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C6E441 8_2_04C6E441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C5A048 8_2_04C5A048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C52654 8_2_04C52654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C59A57 8_2_04C59A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C6406E 8_2_04C6406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C51C76 8_2_04C51C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C54C00 8_2_04C54C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C58C09 8_2_04C58C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C51A0A 8_2_04C51A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C5220A 8_2_04C5220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C61C10 8_2_04C61C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C5E21C 8_2_04C5E21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C5F41F 8_2_04C5F41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C5EC27 8_2_04C5EC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C65220 8_2_04C65220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C5D223 8_2_04C5D223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C59E22 8_2_04C59E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C6F83F 8_2_04C6F83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C71A3C 8_2_04C71A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C56FC4 8_2_04C56FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C725C3 8_2_04C725C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C5A3DF 8_2_04C5A3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C6BFE8 8_2_04C6BFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C703F1 8_2_04C703F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C5C5FE 8_2_04C5C5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C59384 8_2_04C59384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C5758F 8_2_04C5758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C64D8D 8_2_04C64D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C54F8E 8_2_04C54F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C6B397 8_2_04C6B397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C5FD91 8_2_04C5FD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C71193 8_2_04C71193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C6D99A 8_2_04C6D99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C62FA2 8_2_04C62FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C69DA1 8_2_04C69DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C64BAA 8_2_04C64BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C6B1B5 8_2_04C6B1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C5BFB6 8_2_04C5BFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C67BB2 8_2_04C67BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C53345 8_2_04C53345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C71343 8_2_04C71343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C6F14D 8_2_04C6F14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C53F5C 8_2_04C53F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C5C158 8_2_04C5C158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C6056A 8_2_04C6056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C61F6B 8_2_04C61F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C6577E 8_2_04C6577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C53502 8_2_04C53502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C52309 8_2_04C52309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C6FD10 8_2_04C6FD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C5251C 8_2_04C5251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C56B25 8_2_04C56B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C55923 8_2_04C55923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C7292B 8_2_04C7292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C70B34 8_2_04C70B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BECAA8 10_2_00BECAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BD441E 10_2_00BD441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BE43B3 10_2_00BE43B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BE98BD 10_2_00BE98BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BE90BA 10_2_00BE90BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BD5AB2 10_2_00BD5AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BE44AA 10_2_00BE44AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BED6A7 10_2_00BED6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BE78A5 10_2_00BE78A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BDFEA0 10_2_00BDFEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BEAC9B 10_2_00BEAC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BDAC95 10_2_00BDAC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BD3C91 10_2_00BD3C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BED091 10_2_00BED091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BDCC8D 10_2_00BDCC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BE4E8A 10_2_00BE4E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BE748A 10_2_00BE748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BF0687 10_2_00BF0687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BD7283 10_2_00BD7283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BEDEF4 10_2_00BEDEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BD30F6 10_2_00BD30F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BEAEEB 10_2_00BEAEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BEECE3 10_2_00BEECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BE0ADE 10_2_00BE0ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BECCD4 10_2_00BECCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BF08D1 10_2_00BF08D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BE7ED1 10_2_00BE7ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BEBEC9 10_2_00BEBEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BEF83F 10_2_00BEF83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BF1A3C 10_2_00BF1A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BDEC27 10_2_00BDEC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BE5220 10_2_00BE5220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BDD223 10_2_00BDD223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BD9E22 10_2_00BD9E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BDE21C 10_2_00BDE21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BDF41F 10_2_00BDF41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BE1C10 10_2_00BE1C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BD8C09 10_2_00BD8C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BD1A0A 10_2_00BD1A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BD220A 10_2_00BD220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BD4C00 10_2_00BD4C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BD1C76 10_2_00BD1C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BE406E 10_2_00BE406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BD2654 10_2_00BD2654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BD9A57 10_2_00BD9A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BDA048 10_2_00BDA048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BD3845 10_2_00BD3845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BD2A46 10_2_00BD2A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BD2043 10_2_00BD2043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BEE441 10_2_00BEE441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BEB1B5 10_2_00BEB1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BDBFB6 10_2_00BDBFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BE7BB2 10_2_00BE7BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BE4BAA 10_2_00BE4BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BE2FA2 10_2_00BE2FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BE9DA1 10_2_00BE9DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BED99A 10_2_00BED99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BEB397 10_2_00BEB397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BDFD91 10_2_00BDFD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BF1193 10_2_00BF1193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BD758F 10_2_00BD758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BE4D8D 10_2_00BE4D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BD4F8E 10_2_00BD4F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BD9384 10_2_00BD9384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BDC5FE 10_2_00BDC5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BF03F1 10_2_00BF03F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BEBFE8 10_2_00BEBFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BDA3DF 10_2_00BDA3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BD6FC4 10_2_00BD6FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BF25C3 10_2_00BF25C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BF0B34 10_2_00BF0B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BF292B 10_2_00BF292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BD6B25 10_2_00BD6B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BD5923 10_2_00BD5923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BD251C 10_2_00BD251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BEFD10 10_2_00BEFD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BD2309 10_2_00BD2309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BD3502 10_2_00BD3502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BE577E 10_2_00BE577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BE056A 10_2_00BE056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BE1F6B 10_2_00BE1F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BD3F5C 10_2_00BD3F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BDC158 10_2_00BDC158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BEF14D 10_2_00BEF14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BD3345 10_2_00BD3345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BF1343 10_2_00BF1343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B078A5 12_2_04B078A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B044AA 12_2_04B044AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AF5AB2 12_2_04AF5AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B0748A 12_2_04B0748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AFAC95 12_2_04AFAC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B0DEF4 12_2_04B0DEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B0ECE3 12_2_04B0ECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AF30F6 12_2_04AF30F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B108D1 12_2_04B108D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B07ED1 12_2_04B07ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AFEC27 12_2_04AFEC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B0F83F 12_2_04B0F83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B05220 12_2_04B05220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AF220A 12_2_04AF220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AF441E 12_2_04AF441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AF3845 12_2_04AF3845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AF2043 12_2_04AF2043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B02FA2 12_2_04B02FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AFBFB6 12_2_04AFBFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B04BAA 12_2_04B04BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AF758F 12_2_04AF758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AF9384 12_2_04AF9384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AF55E8 12_2_04AF55E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AFC5FE 12_2_04AFC5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AF6FC4 12_2_04AF6FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B10B34 12_2_04B10B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AFDAAE 12_2_04AFDAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B090BA 12_2_04B090BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B098BD 12_2_04B098BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AFFEA0 12_2_04AFFEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B0D6A7 12_2_04B0D6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B0CAA8 12_2_04B0CAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B0D091 12_2_04B0D091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AFCC8D 12_2_04AFCC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B0AC9B 12_2_04B0AC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AF7283 12_2_04AF7283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B10687 12_2_04B10687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B04E8A 12_2_04B04E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AF3C91 12_2_04AF3C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B0A8F0 12_2_04B0A8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B0AEEB 12_2_04B0AEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B0CCD4 12_2_04B0CCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B00ADE 12_2_04B00ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B0BEC9 12_2_04B0BEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AFD223 12_2_04AFD223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AF9E22 12_2_04AF9E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B11A3C 12_2_04B11A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B01C10 12_2_04B01C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AF1A0A 12_2_04AF1A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AF8C09 12_2_04AF8C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AF4C00 12_2_04AF4C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AFF41F 12_2_04AFF41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AFE21C 12_2_04AFE21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AF1C76 12_2_04AF1C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B0406E 12_2_04B0406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AFA048 12_2_04AFA048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AF2A46 12_2_04AF2A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B0E441 12_2_04B0E441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AF9A57 12_2_04AF9A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AF2654 12_2_04AF2654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B07BB2 12_2_04B07BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B043B3 12_2_04B043B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B0B1B5 12_2_04B0B1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B09DA1 12_2_04B09DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AF4F8E 12_2_04AF4F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B11193 12_2_04B11193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B0B397 12_2_04B0B397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B0D99A 12_2_04B0D99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B04D8D 12_2_04B04D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AFFD91 12_2_04AFFD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B103F1 12_2_04B103F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B0BFE8 12_2_04B0BFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AFA3DF 12_2_04AFA3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B125C3 12_2_04B125C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AF6B25 12_2_04AF6B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AF5923 12_2_04AF5923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B1292B 12_2_04B1292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B0FD10 12_2_04B0FD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AF2309 12_2_04AF2309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AF3502 12_2_04AF3502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AF251C 12_2_04AF251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B0577E 12_2_04B0577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B0056A 12_2_04B0056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B01F6B 12_2_04B01F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AF3345 12_2_04AF3345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B11343 12_2_04B11343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AF3F5C 12_2_04AF3F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AFC158 12_2_04AFC158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B0F14D 12_2_04B0F14D
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10041CAB appears 90 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10041DB8 appears 37 times
Source: EzCOXP6oxy.dll Virustotal: Detection: 24%
Source: EzCOXP6oxy.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\EzCOXP6oxy.dll"
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\EzCOXP6oxy.dll",#1
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\EzCOXP6oxy.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\EzCOXP6oxy.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\EzCOXP6oxy.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Nqaukzzzqxw\injbvoyze.mwd",xjdXnltVst
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Nqaukzzzqxw\injbvoyze.mwd",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\EzCOXP6oxy.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\EzCOXP6oxy.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\EzCOXP6oxy.dll",#1 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Nqaukzzzqxw\injbvoyze.mwd",xjdXnltVst Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\EzCOXP6oxy.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Nqaukzzzqxw\injbvoyze.mwd",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@23/1@0/20
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B01B54 CreateToolhelp32Snapshot, 12_2_04B01B54
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\EzCOXP6oxy.dll,Control_RunDLL
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1296:120:WilError_01
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10012024 FindResourceA,LoadResource,LockResource,FreeResource, 7_2_10012024
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: EzCOXP6oxy.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: EzCOXP6oxy.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: EzCOXP6oxy.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: EzCOXP6oxy.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: EzCOXP6oxy.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10041D83 push ecx; ret 7_2_10041D96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10041DFD push ecx; ret 7_2_10041E10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04551229 push eax; retf 7_2_0455129A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C51229 push eax; retf 8_2_04C5129A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BD1229 push eax; retf 10_2_00BD129A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04AF1229 push eax; retf 12_2_04AF129A
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1004D1EA LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 7_2_1004D1EA
PE file contains an invalid checksum
Source: EzCOXP6oxy.dll Static PE information: real checksum: 0xadad1 should be: 0xb0181

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Nqaukzzzqxw\injbvoyze.mwd Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Nqaukzzzqxw\injbvoyze.mwd:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000C188 IsIconic,GetWindowPlacement,GetWindowRect, 7_2_1000C188
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10023C63 IsWindowVisible,IsIconic, 7_2_10023C63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001CF24 GetParent,GetParent,IsIconic,GetParent, 7_2_1001CF24
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 7012 Thread sleep time: -120000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100331CA __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 7_2_100331CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B01A80 FindFirstFileW, 12_2_04B01A80
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000012.00000002.409607506.0000029BE7CA5000.00000004.00000001.sdmp, svchost.exe, 00000012.00000002.409671317.0000029BE7CE8000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100441C0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_100441C0
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1004D1EA LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 7_2_1004D1EA
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0456DE10 mov eax, dword ptr fs:[00000030h] 7_2_0456DE10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04C6DE10 mov eax, dword ptr fs:[00000030h] 8_2_04C6DE10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00BEDE10 mov eax, dword ptr fs:[00000030h] 10_2_00BEDE10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04B0DE10 mov eax, dword ptr fs:[00000030h] 12_2_04B0DE10
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100441C0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_100441C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1004A1EC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_1004A1EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1003F29E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_1003F29E

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 51.178.61.60 187 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\EzCOXP6oxy.dll",#1 Jump to behavior
Source: rundll32.exe, 0000000C.00000002.809325326.0000000003540000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: rundll32.exe, 0000000C.00000002.809325326.0000000003540000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 0000000C.00000002.809325326.0000000003540000.00000002.00020000.sdmp Binary or memory string: Progman
Source: rundll32.exe, 0000000C.00000002.809325326.0000000003540000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA, 7_2_100199B4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 7_2_1004DE0C
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10048D61 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 7_2_10048D61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000BFE6 _memset,GetVersionExA, 7_2_1000BFE6

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000006.00000002.807674796.000001C48423D000.00000004.00000001.sdmp Binary or memory string: $@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 00000006.00000002.807729376.000001C484302000.00000004.00000001.sdmp Binary or memory string: Files%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000006.00000002.807650319.000001C48422A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.807729376.000001C484302000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 12.2.rundll32.exe.56b0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.5440000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.ba0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4ba0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4e00000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.4ac0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.5590000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.cb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.5100000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.56b0000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.5100000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4e00000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.cb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4ab0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4c20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.4ac0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.ec0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4e60000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.54a0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4ba0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.51e0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4ab0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4fc0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.54a0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.5590000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.5440000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4e60000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4fc0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4c20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.ec0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.57c0000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.51e0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.57c0000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.289870644.0000000004C20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.810681340.0000000005590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.810823822.00000000056B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.807533185.0000000000EC0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.293225547.0000000004E00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.810439352.0000000005440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.293389274.0000000004FC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.293071133.0000000004BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.810235719.00000000051E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.810948594.00000000057C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.291762953.0000000000CB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.293302673.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.809655568.0000000004AC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.810054913.0000000005100000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.292938916.0000000004AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.293307621.0000000004E60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.810559507.00000000054A0000.00000040.00000001.sdmp, type: MEMORY