Windows Analysis Report NjTYb3VyzV

AV Detection:

Found malware configuration

Source: 8.2.rundll32.exe.4980000.8.raw.unpack

Malware Configuration Extractor: Emotet {"Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"], "C2 list": ["91.200.186.228:443", "41.76.108.46:8080", "188.165.214.166:7080", "191.252.196.221:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"]}

Multi AV Scanner detection for submitted file

Source: NjTYb3VyzV.dll

Virustotal: Detection: 13%

Perma Link

Machine Learning detection for sample

Source: NjTYb3VyzV.dll

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: NjTYb3VyzV.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100062E3 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z,__EH_prolog3,lstrlenA,FtpFindFirstFileA,		2_2_100062E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10004E7C FindFirstFileA,GetLastError,lstrlenA,SetLastError,__fullpath,__splitpath_s,__makepath_s,		2_2_10004E7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418B2CC FindFirstFileW,		8_2_0418B2CC

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2404346 ET CNC Feodo Tracker Reported CnC Server TCP group 24 192.168.2.6:49762 -> 91.200.186.228:443
Source: Traffic	Snort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 41.76.108.46:8080 -> 192.168.2.6:49765

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 41.76.108.46 144			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 91.200.186.228 187			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 91.200.186.228:443
Source: Malware configuration extractor	IPs: 41.76.108.46:8080
Source: Malware configuration extractor	IPs: 188.165.214.166:7080
Source: Malware configuration extractor	IPs: 191.252.196.221:8080
Source: Malware configuration extractor	IPs: 103.8.26.103:8080
Source: Malware configuration extractor	IPs: 185.184.25.237:8080
Source: Malware configuration extractor	IPs: 103.8.26.102:8080
Source: Malware configuration extractor	IPs: 178.79.147.66:8080
Source: Malware configuration extractor	IPs: 58.227.42.236:80
Source: Malware configuration extractor	IPs: 45.118.135.203:7080
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 195.154.133.20:443
Source: Malware configuration extractor	IPs: 45.142.114.231:8080
Source: Malware configuration extractor	IPs: 212.237.5.209:443
Source: Malware configuration extractor	IPs: 207.38.84.195:8080
Source: Malware configuration extractor	IPs: 104.251.214.46:8080
Source: Malware configuration extractor	IPs: 212.237.17.99:8080
Source: Malware configuration extractor	IPs: 212.237.56.116:7080
Source: Malware configuration extractor	IPs: 216.158.226.206:443
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 158.69.222.101:443
Source: Malware configuration extractor	IPs: 107.182.225.142:8080
Source: Malware configuration extractor	IPs: 176.104.106.96:8080
Source: Malware configuration extractor	IPs: 81.0.236.90:443
Source: Malware configuration extractor	IPs: 50.116.54.215:443
Source: Malware configuration extractor	IPs: 138.185.72.26:8080
Source: Malware configuration extractor	IPs: 51.68.175.8:8080
Source: Malware configuration extractor	IPs: 210.57.217.132:8080

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View	ASN Name: ARUBA-ASNIT ARUBA-ASNIT

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View	IP Address: 212.237.17.99 212.237.17.99

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49765 -> 41.76.108.46:8080

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 19

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 91.200.186.228
Source: unknown	TCP traffic detected without corresponding DNS query: 91.200.186.228
Source: unknown	TCP traffic detected without corresponding DNS query: 91.200.186.228
Source: unknown	TCP traffic detected without corresponding DNS query: 91.200.186.228
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46

Found strings which match to known social media urls

Source: svchost.exe, 00000011.00000003.466913007.00000125DAD8E000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 00000011.00000003.466913007.00000125DAD8E000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 00000011.00000003.466921694.00000125DAD9F000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.466913007.00000125DAD8E000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z||.||797d024d-8c74-4faa-b6a6-08435801478b||1152921505694213184||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000011.00000003.466921694.00000125DAD9F000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.466913007.00000125DAD8E000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z||.||797d024d-8c74-4faa-b6a6-08435801478b||1152921505694213184||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"

URLs found in memory or binary data

Source: svchost.exe, 00000011.00000002.483653675.00000125DAD00000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.862144227.00000197B5861000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000011.00000002.483357499.00000125DA4EE000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.862144227.00000197B5861000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: 77EC63BDA74BD0D0E0426DC8F80085060.8.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 00000011.00000003.462591154.00000125DAD90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462696616.00000125DAD9A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462672365.00000125DAD7E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462719021.00000125DADD0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462749971.00000125DADD0000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000011.00000003.462591154.00000125DAD90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462696616.00000125DAD9A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462672365.00000125DAD7E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462719021.00000125DADD0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462749971.00000125DADD0000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000011.00000003.462591154.00000125DAD90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462696616.00000125DAD9A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462672365.00000125DAD7E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462719021.00000125DADD0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462749971.00000125DADD0000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000011.00000003.462591154.00000125DAD90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462696616.00000125DAD9A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462672365.00000125DAD7E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462719021.00000125DADD0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462749971.00000125DADD0000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000011.00000003.463658536.00000125DAD7E000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Contains functionality to download additional files from the internet

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 8_2_041818CA InternetReadFile,

8_2_041818CA

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: loaddll32.exe, 00000000.00000002.350641355.0000000000FCB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Potential key logger detected (key state polling based)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_10009963 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

2_2_10009963

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 8.2.rundll32.exe.4ce0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4cf0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5140000.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4ed0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4980000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.46f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.46f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4b40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4820000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4dc0000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4cf0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4980000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4620000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4030000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4090000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.49e0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.45f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.50c0000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4e70000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4620000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4ec0000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4bc0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.670000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5140000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4bc0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4820000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.49e0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4ec0000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.45f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.50c0000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4090000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4dc0000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4ed0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.5130000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4ce0000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.5130000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4e70000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.868792580.0000000004CE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.349560826.0000000004B40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.349903901.0000000004CF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.349400359.00000000046F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.350183619.0000000004ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868395885.0000000004820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868126623.0000000004090000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.869093007.00000000050C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.351790067.0000000004030000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.867289690.0000000000670000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868949205.0000000004EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.350335367.0000000005130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868865834.0000000004DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868491768.0000000004980000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.869173450.0000000005140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868282805.0000000004620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.348479056.00000000045F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868570789.00000000049E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.350044975.0000000004E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868675450.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Uses 32bit PE files

Source: NjTYb3VyzV.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Xzrjbnqqcb\ruunnfqf.mlu:Zone.Identifier

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Xzrjbnqqcb\

Jump to behavior

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100141F1		2_2_100141F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000B24B		2_2_1000B24B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10023277		2_2_10023277
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100145C5		2_2_100145C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100227EF		2_2_100227EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1002396F		2_2_1002396F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100149D1		2_2_100149D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10013D1C		2_2_10013D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10022D33		2_2_10022D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10014DF1		2_2_10014DF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1001AE22		2_2_1001AE22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10024F42		2_2_10024F42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04724410		2_2_04724410
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047374A8		2_2_047374A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04738563		2_2_04738563
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472E6C7		2_2_0472E6C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473A049		2_2_0473A049
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04736349		2_2_04736349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04737C07		2_2_04737C07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473FCD8		2_2_0473FCD8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04730F1B		2_2_04730F1B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472480A		2_2_0472480A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04723894		2_2_04723894
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047309F3		2_2_047309F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04734A72		2_2_04734A72
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473FABB		2_2_0473FABB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472BA95		2_2_0472BA95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473F43B		2_2_0473F43B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04735406		2_2_04735406
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472D407		2_2_0472D407
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047424FA		2_2_047424FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047284B5		2_2_047284B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473848F		2_2_0473848F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472F574		2_2_0472F574
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473D530		2_2_0473D530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047265A1		2_2_047265A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473E5A8		2_2_0473E5A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047275A9		2_2_047275A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04730610		2_2_04730610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473A614		2_2_0473A614
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473261D		2_2_0473261D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04726693		2_2_04726693
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04722735		2_2_04722735
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472F71C		2_2_0472F71C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04728784		2_2_04728784
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472F07C		2_2_0472F07C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472606B		2_2_0472606B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472C0E4		2_2_0472C0E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473B0DD		2_2_0473B0DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472E09E		2_2_0472E09E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04742081		2_2_04742081
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473708B		2_2_0473708B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473313F		2_2_0473313F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472226A		2_2_0472226A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472825D		2_2_0472825D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473D2E6		2_2_0473D2E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472E2D7		2_2_0472E2D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472A34E		2_2_0472A34E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047313D7		2_2_047313D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473B3B8		2_2_0473B3B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047393A0		2_2_047393A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04738389		2_2_04738389
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473EC2D		2_2_0473EC2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04727C10		2_2_04727C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04734CF5		2_2_04734CF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04735CA0		2_2_04735CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473BD6A		2_2_0473BD6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04724D32		2_2_04724D32
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472ED39		2_2_0472ED39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473AD26		2_2_0473AD26
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472DD02		2_2_0472DD02
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04736DF8		2_2_04736DF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473DDD1		2_2_0473DDD1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04721DB2		2_2_04721DB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04725E78		2_2_04725E78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472CE30		2_2_0472CE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473CED5		2_2_0473CED5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04731F7B		2_2_04731F7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473EF6D		2_2_0473EF6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472CF39		2_2_0472CF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472AFF0		2_2_0472AFF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473E84B		2_2_0473E84B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473584C		2_2_0473584C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047338F0		2_2_047338F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472C8D3		2_2_0472C8D3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04739886		2_2_04739886
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04725973		2_2_04725973
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473F93D		2_2_0473F93D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472193C		2_2_0472193C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047299D7		2_2_047299D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04738996		2_2_04738996
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473D99C		2_2_0473D99C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04742A78		2_2_04742A78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04727A51		2_2_04727A51
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472FA3C		2_2_0472FA3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04737AF5		2_2_04737AF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472CAD5		2_2_0472CAD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04726B58		2_2_04726B58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04731BB7		2_2_04731BB7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04741B95		2_2_04741B95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04634A72		3_2_04634A72
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04623894		3_2_04623894
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462226A		3_2_0462226A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462606B		3_2_0462606B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04625E78		3_2_04625E78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04642A78		3_2_04642A78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462F07C		3_2_0462F07C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463E84B		3_2_0463E84B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463A049		3_2_0463A049
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463584C		3_2_0463584C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04627A51		3_2_04627A51
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462825D		3_2_0462825D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463EC2D		3_2_0463EC2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462CE30		3_2_0462CE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463F43B		3_2_0463F43B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462FA3C		3_2_0462FA3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04637C07		3_2_04637C07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04635406		3_2_04635406
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462D407		3_2_0462D407
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462480A		3_2_0462480A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04624410		3_2_04624410
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04627C10		3_2_04627C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04630610		3_2_04630610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463A614		3_2_0463A614
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463261D		3_2_0463261D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463D2E6		3_2_0463D2E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462C0E4		3_2_0462C0E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046338F0		3_2_046338F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04637AF5		3_2_04637AF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04634CF5		3_2_04634CF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046424FA		3_2_046424FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462E6C7		3_2_0462E6C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462C8D3		3_2_0462C8D3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462E2D7		3_2_0462E2D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463CED5		3_2_0463CED5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462CAD5		3_2_0462CAD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463FCD8		3_2_0463FCD8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463B0DD		3_2_0463B0DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04635CA0		3_2_04635CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046374A8		3_2_046374A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046284B5		3_2_046284B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463FABB		3_2_0463FABB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04642081		3_2_04642081
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04639886		3_2_04639886
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463708B		3_2_0463708B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463848F		3_2_0463848F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04626693		3_2_04626693
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462BA95		3_2_0462BA95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462E09E		3_2_0462E09E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04638563		3_2_04638563
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463BD6A		3_2_0463BD6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463EF6D		3_2_0463EF6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04625973		3_2_04625973
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462F574		3_2_0462F574
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04631F7B		3_2_04631F7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04636349		3_2_04636349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462A34E		3_2_0462A34E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04626B58		3_2_04626B58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463AD26		3_2_0463AD26
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04624D32		3_2_04624D32
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463D530		3_2_0463D530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04622735		3_2_04622735
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462ED39		3_2_0462ED39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462CF39		3_2_0462CF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463313F		3_2_0463313F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463F93D		3_2_0463F93D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462193C		3_2_0462193C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462DD02		3_2_0462DD02
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04630F1B		3_2_04630F1B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462F71C		3_2_0462F71C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046309F3		3_2_046309F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462AFF0		3_2_0462AFF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04636DF8		3_2_04636DF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463DDD1		3_2_0463DDD1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046313D7		3_2_046313D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046299D7		3_2_046299D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046265A1		3_2_046265A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046393A0		3_2_046393A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463E5A8		3_2_0463E5A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046275A9		3_2_046275A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04621DB2		3_2_04621DB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04631BB7		3_2_04631BB7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463B3B8		3_2_0463B3B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04628784		3_2_04628784
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04638389		3_2_04638389
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04641B95		3_2_04641B95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04638996		3_2_04638996
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463D99C		3_2_0463D99C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04074A72		6_2_04074A72
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04063894		6_2_04063894
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04077C07		6_2_04077C07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04075406		6_2_04075406
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406D407		6_2_0406D407
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406480A		6_2_0406480A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407A614		6_2_0407A614
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04064410		6_2_04064410
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04067C10		6_2_04067C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04070610		6_2_04070610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407261D		6_2_0407261D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407EC2D		6_2_0407EC2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406CE30		6_2_0406CE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406FA3C		6_2_0406FA3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407F43B		6_2_0407F43B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407584C		6_2_0407584C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407E84B		6_2_0407E84B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407A049		6_2_0407A049
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04067A51		6_2_04067A51
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406825D		6_2_0406825D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406226A		6_2_0406226A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406606B		6_2_0406606B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04082A78		6_2_04082A78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406F07C		6_2_0406F07C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04065E78		6_2_04065E78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04079886		6_2_04079886
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407848F		6_2_0407848F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04082081		6_2_04082081
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407708B		6_2_0407708B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406BA95		6_2_0406BA95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04066693		6_2_04066693
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406E09E		6_2_0406E09E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04075CA0		6_2_04075CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040774A8		6_2_040774A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040684B5		6_2_040684B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407FABB		6_2_0407FABB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406E6C7		6_2_0406E6C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406E2D7		6_2_0406E2D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407CED5		6_2_0407CED5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406CAD5		6_2_0406CAD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406C8D3		6_2_0406C8D3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407B0DD		6_2_0407B0DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407FCD8		6_2_0407FCD8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407D2E6		6_2_0407D2E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406C0E4		6_2_0406C0E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04077AF5		6_2_04077AF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04074CF5		6_2_04074CF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040824FA		6_2_040824FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040738F0		6_2_040738F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406DD02		6_2_0406DD02
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406F71C		6_2_0406F71C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04070F1B		6_2_04070F1B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407AD26		6_2_0407AD26
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04062735		6_2_04062735
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04064D32		6_2_04064D32
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407D530		6_2_0407D530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407313F		6_2_0407313F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407F93D		6_2_0407F93D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406193C		6_2_0406193C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406ED39		6_2_0406ED39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406CF39		6_2_0406CF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406A34E		6_2_0406A34E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04076349		6_2_04076349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04066B58		6_2_04066B58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04078563		6_2_04078563
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407EF6D		6_2_0407EF6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407BD6A		6_2_0407BD6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406F574		6_2_0406F574
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04065973		6_2_04065973
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04071F7B		6_2_04071F7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04068784		6_2_04068784
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04078389		6_2_04078389
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04078996		6_2_04078996
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407D99C		6_2_0407D99C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04081B95		6_2_04081B95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040665A1		6_2_040665A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040793A0		6_2_040793A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407E5A8		6_2_0407E5A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040675A9		6_2_040675A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04071BB7		6_2_04071BB7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04061DB2		6_2_04061DB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407B3B8		6_2_0407B3B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040713D7		6_2_040713D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040699D7		6_2_040699D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407DDD1		6_2_0407DDD1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040709F3		6_2_040709F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406AFF0		6_2_0406AFF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04076DF8		6_2_04076DF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04185406		8_2_04185406
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417CE30		8_2_0417CE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418EC2D		8_2_0418EC2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417825D		8_2_0417825D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04192A78		8_2_04192A78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417BA95		8_2_0417BA95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04173894		8_2_04173894
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04189886		8_2_04189886
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418FABB		8_2_0418FABB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041874A8		8_2_041874A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418FCD8		8_2_0418FCD8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417CAD5		8_2_0417CAD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041838F0		8_2_041838F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04180F1B		8_2_04180F1B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04172735		8_2_04172735
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418F93D		8_2_0418F93D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04174D32		8_2_04174D32
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418313F		8_2_0418313F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417CF39		8_2_0417CF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04176B58		8_2_04176B58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417F574		8_2_0417F574
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418D99C		8_2_0418D99C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04178784		8_2_04178784
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418E5A8		8_2_0418E5A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041893A0		8_2_041893A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418DDD1		8_2_0418DDD1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041809F3		8_2_041809F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418261D		8_2_0418261D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04174410		8_2_04174410
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04177C10		8_2_04177C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04180610		8_2_04180610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418A614		8_2_0418A614
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417D407		8_2_0417D407
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417480A		8_2_0417480A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04187C07		8_2_04187C07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418F43B		8_2_0418F43B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417FA3C		8_2_0417FA3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04177A51		8_2_04177A51
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418A049		8_2_0418A049
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418E84B		8_2_0418E84B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418584C		8_2_0418584C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04184A72		8_2_04184A72
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417F07C		8_2_0417F07C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04175E78		8_2_04175E78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417606B		8_2_0417606B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417226A		8_2_0417226A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04176693		8_2_04176693
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417E09E		8_2_0417E09E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418708B		8_2_0418708B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418848F		8_2_0418848F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04192081		8_2_04192081
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041784B5		8_2_041784B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04185CA0		8_2_04185CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417E2D7		8_2_0417E2D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417C8D3		8_2_0417C8D3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418B0DD		8_2_0418B0DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418CED5		8_2_0418CED5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417E6C7		8_2_0417E6C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041924FA		8_2_041924FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04187AF5		8_2_04187AF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04184CF5		8_2_04184CF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417C0E4		8_2_0417C0E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418D2E6		8_2_0418D2E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417F71C		8_2_0417F71C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417DD02		8_2_0417DD02
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418D530		8_2_0418D530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417193C		8_2_0417193C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417ED39		8_2_0417ED39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418AD26		8_2_0418AD26
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04186349		8_2_04186349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417A34E		8_2_0417A34E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04181F7B		8_2_04181F7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04175973		8_2_04175973
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418BD6A		8_2_0418BD6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418EF6D		8_2_0418EF6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04188563		8_2_04188563
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04191B95		8_2_04191B95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04188996		8_2_04188996
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04188389		8_2_04188389
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418B3B8		8_2_0418B3B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04171DB2		8_2_04171DB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04181BB7		8_2_04181BB7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041765A1		8_2_041765A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041775A9		8_2_041775A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041799D7		8_2_041799D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041813D7		8_2_041813D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04186DF8		8_2_04186DF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417AFF0		8_2_0417AFF0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10013B28 appears 54 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10013978 appears 91 times

Sample file is different than original file name gathered from version info

Source: NjTYb3VyzV.dll

Binary or memory string: OriginalFilenameFTPTREE.EXEH vs NjTYb3VyzV.dll

PE file contains strange resources

Source: NjTYb3VyzV.dll	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: NjTYb3VyzV.dll	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: NjTYb3VyzV.dll	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: NjTYb3VyzV.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample is known by Antivirus

Source: NjTYb3VyzV.dll

Virustotal: Detection: 13%

PE file has an executable .text section and no other executable section

Source: NjTYb3VyzV.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\NjTYb3VyzV.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xzrjbnqqcb\ruunnfqf.mlu",ZUcsEM
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Xzrjbnqqcb\ruunnfqf.mlu",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\NjTYb3VyzV.dll,Control_RunDLL			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",#1			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xzrjbnqqcb\ruunnfqf.mlu",ZUcsEM			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",Control_RunDLL			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Xzrjbnqqcb\ruunnfqf.mlu",Control_RunDLL			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winDLL@18/7@0/29

Reads ini files

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Contains functionality for error logging

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_10005E84 FormatMessageA,FormatMessageA,FormatMessageA,LocalFree,InternetGetLastResponseInfoA,InternetGetLastResponseInfoA,GetLastError,LocalAlloc,InternetGetLastResponseInfoA,LocalFree,LocalFree,FreeLibrary,

2_2_10005E84

Contains functionality to enum processes or threads

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 8_2_0417D29B CreateToolhelp32Snapshot,

8_2_0417D29B

Runs a DLL by calling functions

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\NjTYb3VyzV.dll,Control_RunDLL

Contains functionality to load and extract PE file embedded resources

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_10001000 LoadResource,

2_2_10001000

Reads the hosts file

Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

PE file contains a valid data directory to section mapping

Source: NjTYb3VyzV.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: NjTYb3VyzV.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: NjTYb3VyzV.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: NjTYb3VyzV.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: NjTYb3VyzV.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10013A50 push ecx; ret		2_2_10013A63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10013B6D push ecx; ret		2_2_10013B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047210BA push eax; ret		2_2_0472118C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04721160 push eax; ret		2_2_0472118C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472124E pushfd ; ret		2_2_04721258
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462124E pushfd ; ret		3_2_04621258
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046210BA push eax; ret		3_2_0462118C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04621160 push eax; ret		3_2_0462118C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406124E pushfd ; ret		6_2_04061258
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040610BA push eax; ret		6_2_0406118C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04061160 push eax; ret		6_2_0406118C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417124E pushfd ; ret		8_2_04171258
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041710BA push eax; ret		8_2_0417118C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04171160 push eax; ret		8_2_0417118C

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_1002127E LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

2_2_1002127E

PE file contains an invalid checksum

Source: NjTYb3VyzV.dll

Static PE information: real checksum: 0x6d835 should be: 0x6f415

Persistence and Installation Behavior:

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Xzrjbnqqcb\ruunnfqf.mlu

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Xzrjbnqqcb\ruunnfqf.mlu:Zone.Identifier read attributes | delete

Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000712B IsIconic,GetWindowPlacement,GetWindowRect,		2_2_1000712B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10003578 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,		2_2_10003578

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\rundll32.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 1908	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4792	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4624	Thread sleep time: -30000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\loaddll32.exe

Last function: Thread delayed

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100062E3 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z,__EH_prolog3,lstrlenA,FtpFindFirstFileA,		2_2_100062E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10004E7C FindFirstFileA,GetLastError,lstrlenA,SetLastError,__fullpath,__splitpath_s,__makepath_s,		2_2_10004E7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418B2CC FindFirstFileW,		8_2_0418B2CC

Checks the free space of harddrives

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: svchost.exe, 00000011.00000002.483249319.00000125DA4E1000.00000004.00000001.sdmp	Binary or memory string: &@Hyper-V RAW
Source: svchost.exe, 00000015.00000002.862144227.00000197B5861000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000011.00000002.482442900.00000125DA471000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.483338719.00000125DA4EB000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.862133126.00000197B5854000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.861778615.00000197B002A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_100127FF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

2_2_100127FF

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_1002127E LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

2_2_1002127E

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473DDCA mov eax, dword ptr fs:[00000030h]		2_2_0473DDCA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463DDCA mov eax, dword ptr fs:[00000030h]		3_2_0463DDCA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407DDCA mov eax, dword ptr fs:[00000030h]		6_2_0407DDCA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418DDCA mov eax, dword ptr fs:[00000030h]		8_2_0418DDCA

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll32.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to register its own exception handler

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1001E36A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		2_2_1001E36A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100127FF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		2_2_100127FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10017834 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		2_2_10017834

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 41.76.108.46 144			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 91.200.186.228 187			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",#1

Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: rundll32.exe, 00000008.00000002.868029953.0000000002BA0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000008.00000002.868029953.0000000002BA0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000008.00000002.868029953.0000000002BA0000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: rundll32.exe, 00000008.00000002.868029953.0000000002BA0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,		2_2_1002221F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,		2_2_1000DFEB

Queries the cryptographic machine GUID

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Contains functionality to query local / system time

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_1001C0B0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

2_2_1001C0B0

Contains functionality to query time zone information

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_1001D747 __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

2_2_1001D747

Contains functionality to query windows version

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_10006F89 _memset,GetVersionExA,

2_2_10006F89

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 8.2.rundll32.exe.4ce0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4cf0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5140000.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4ed0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4980000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.46f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.46f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4b40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4820000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4dc0000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4cf0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4980000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4620000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4030000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4090000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.49e0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.45f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.50c0000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4e70000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4620000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4ec0000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4bc0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.670000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5140000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4bc0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4820000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.49e0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4ec0000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.45f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.50c0000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4090000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4dc0000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4ed0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.5130000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4ce0000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.5130000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4e70000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.868792580.0000000004CE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.349560826.0000000004B40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.349903901.0000000004CF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.349400359.00000000046F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.350183619.0000000004ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868395885.0000000004820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868126623.0000000004090000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.869093007.00000000050C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.351790067.0000000004030000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.867289690.0000000000670000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868949205.0000000004EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.350335367.0000000005130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868865834.0000000004DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868491768.0000000004980000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.869173450.0000000005140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868282805.0000000004620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.348479056.00000000045F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868570789.00000000049E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.350044975.0000000004E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868675450.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY