Windows Analysis Report nhlHEF5IVY

AV Detection:

Multi AV Scanner detection for submitted file

Source: nhlHEF5IVY.dll	Virustotal: Detection: 21%			Perma Link
Source: nhlHEF5IVY.dll	ReversingLabs: Detection: 17%

Compliance:

Uses 32bit PE files

Source: nhlHEF5IVY.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 45.63.5.129:443 -> 192.168.2.4:49794 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: nhlHEF5IVY.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000E.00000003.915279800.00000000050C5000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915335337.00000000036C1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915454773.00000000036C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915459206.00000000036C7000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915340001.00000000036C7000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915541227.00000000036C7000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000E.00000003.915459206.00000000036C7000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915340001.00000000036C7000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915541227.00000000036C7000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000E.00000003.915330304.00000000036BB000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915597745.00000000036BB000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000E.00000003.915335337.00000000036C1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915454773.00000000036C1000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: a[ojr^oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000E.00000002.924793134.0000000001082000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000E.00000003.915330304.00000000036BB000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915597745.00000000036BB000.00000004.00000001.sdmp

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4C0927 FindFirstFileExW,		0_2_6E4C0927
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4C0927 FindFirstFileExW,		3_2_6E4C0927

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 45.63.5.129 187

Jump to behavior

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-CHOOPAUS AS-CHOOPAUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /VCbYkbegGeqHFlwstrEAhPVucLQzDdpcoetAUGcPQabBfXg HTTP/1.1Cookie: DrcWAKIBJWmaxqN=NkwkVocWd047SxLTnw1OvmLB+y7EbvgbbH9cDzoVcpFNOiH8TbRd17jGnTLmWNipx6naMHQIxHoYSzVPwPUBguk9zuItniypi2IIMHTegZbqkVJWwTqchKZCJEa8CdEJDkVjt2aOuEy16JVPzsPhYdLbDzfrtQosc0fVFxySiyuZ2Y7WCYm/zmeA1M6ob5o15LY+hv4X21nJF77G9R41fwzvyhf3rU3FrwDrOHqAa5sf6LUeLTTVybt/UQchOBgws/vF1s9/PZn3NrIJuPHQYfArST/6AkbLzBYTa3j/AcnEZVaziuy3cR+3TC1sv3ribYi1bvhCo7VVaHXnRaRtEAor7phXtz8N45GtA3gEiEudNIRjPwbX6uabhA==Host: 45.63.5.129Connection: Keep-AliveCache-Control: no-cache

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.5.129

URLs found in memory or binary data

Source: WerFault.exe, 00000011.00000002.960602395.000000000540C000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.959116367.000000000540C000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.959062497.00000000053F1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000002.960586783.00000000053F1000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000003.1146026752.00000000034E4000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000002.1183923476.00000000034E4000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1153205743.0000024B21900000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WerFault.exe, 00000011.00000002.960325858.0000000003478000.00000004.00000020.sdmp	String found in binary or memory: http://crl.m
Source: WerFault.exe, 00000011.00000002.960325858.0000000003478000.00000004.00000020.sdmp	String found in binary or memory: http://crl.microsoft%C
Source: svchost.exe, 0000001B.00000002.1153046299.0000024B210EC000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000001B.00000003.1130959349.0000024B21961000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1129875776.0000024B219AC000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1129903525.0000024B219AC000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1130969538.0000024B21961000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: Amcache.hve.14.dr	String found in binary or memory: http://upx.sf.net
Source: rundll32.exe, 00000013.00000002.1183844764.00000000034BA000.00000004.00000001.sdmp	String found in binary or memory: https://45.63.5.129/
Source: rundll32.exe, 00000013.00000002.1183797594.000000000346A000.00000004.00000020.sdmp	String found in binary or memory: https://45.63.5.129/VCbYkbegGeqHFlwstrEAhPVucLQzDdpcoetAUGcPQabBfXg
Source: rundll32.exe, 00000013.00000002.1183797594.000000000346A000.00000004.00000020.sdmp	String found in binary or memory: https://45.63.5.129/VCbYkbegGeqHFlwstrEAhPVucLQzDdpcoetAUGcPQabBfXgRG
Source: rundll32.exe, 00000013.00000002.1183797594.000000000346A000.00000004.00000020.sdmp	String found in binary or memory: https://45.63.5.129/VCbYkbegGeqHFlwstrEAhPVucLQzDdpcoetAUGcPQabBfXg~
Source: svchost.exe, 0000001B.00000003.1130959349.0000024B21961000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1129875776.0000024B219AC000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1129903525.0000024B219AC000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1130969538.0000024B21961000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000001B.00000003.1130959349.0000024B21961000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1129875776.0000024B219AC000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1129903525.0000024B219AC000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1130969538.0000024B21961000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001B.00000003.1130959349.0000024B21961000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1129875776.0000024B219AC000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1129903525.0000024B219AC000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1130969538.0000024B21961000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001B.00000003.1130904279.0000024B21990000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1130892648.0000024B2196E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1130827300.0000024B219C8000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1130929870.0000024B21E02000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1130914623.0000024B219B1000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1130856335.0000024B219C8000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Downloads files from webservers via HTTP

Source: global traffic

HTTP traffic detected: GET /VCbYkbegGeqHFlwstrEAhPVucLQzDdpcoetAUGcPQabBfXg HTTP/1.1Cookie: DrcWAKIBJWmaxqN=NkwkVocWd047SxLTnw1OvmLB+y7EbvgbbH9cDzoVcpFNOiH8TbRd17jGnTLmWNipx6naMHQIxHoYSzVPwPUBguk9zuItniypi2IIMHTegZbqkVJWwTqchKZCJEa8CdEJDkVjt2aOuEy16JVPzsPhYdLbDzfrtQosc0fVFxySiyuZ2Y7WCYm/zmeA1M6ob5o15LY+hv4X21nJF77G9R41fwzvyhf3rU3FrwDrOHqAa5sf6LUeLTTVybt/UQchOBgws/vF1s9/PZn3NrIJuPHQYfArST/6AkbLzBYTa3j/AcnEZVaziuy3cR+3TC1sv3ribYi1bvhCo7VVaHXnRaRtEAor7phXtz8N45GtA3gEiEudNIRjPwbX6uabhA==Host: 45.63.5.129Connection: Keep-AliveCache-Control: no-cache

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 45.63.5.129:443 -> 192.168.2.4:49794 version: TLS 1.2

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 0.2.loaddll32.exe.c13908.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.950000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.c13908.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.950000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.950000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.3053568.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.950000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.3053568.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.c13908.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.952240.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.950000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2e60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.c13908.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.a60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.c13908.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.9f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.952240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.950000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.33c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.ce0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.c13908.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.ce0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.a60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.950000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.c13908.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.c42240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.950000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.9f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.c13908.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.c13908.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.950000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.950000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.c13908.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.c42240.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2e60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.31734a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.33c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.31734a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2db0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.901292437.00000000009F0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.911134147.0000000000950000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1183708651.00000000033C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.911209239.0000000000BFB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.961859144.0000000000950000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.907559664.000000000315A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1013887623.0000000002DB0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1014042657.000000000303A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.927676600.0000000000BFB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.885371581.0000000000CE0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.926867950.0000000000950000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.908120712.0000000002E60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.927582691.0000000000950000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.908789818.0000000000A60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.907514993.0000000000C2A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.910127434.0000000000BFB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.857679684.0000000000AFB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.909739396.0000000000950000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.908758600.000000000093A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1123003346.000000000348B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.926918217.0000000000BFB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.962136592.0000000000BFB000.00000004.00000020.sdmp, type: MEMORY

System Summary:

Uses 32bit PE files

Source: nhlHEF5IVY.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6640 -ip 6640

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Kaxguqlsqyxr\izodilcglz.tnb:Zone.Identifier

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Kaxguqlsqyxr\

Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00971291		0_2_00971291
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00960E97		0_2_00960E97
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00960A93		0_2_00960A93
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0096CE90		0_2_0096CE90
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0095FE9D		0_2_0095FE9D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0096009A		0_2_0096009A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0096A29B		0_2_0096A29B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0096E899		0_2_0096E899
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0095A083		0_2_0095A083
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0095F48A		0_2_0095F48A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009590D4		0_2_009590D4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009628D5		0_2_009628D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009652D1		0_2_009652D1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00971CDB		0_2_00971CDB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009592C1		0_2_009592C1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00952CC2		0_2_00952CC2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009720CE		0_2_009720CE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009610CD		0_2_009610CD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009662F5		0_2_009662F5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00964CF5		0_2_00964CF5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009584F0		0_2_009584F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009640FE		0_2_009640FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00951EFB		0_2_00951EFB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009546FA		0_2_009546FA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0095C0EA		0_2_0095C0EA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009656E9		0_2_009656E9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0097261E		0_2_0097261E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0096C205		0_2_0096C205
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0095800A		0_2_0095800A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00953432		0_2_00953432
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0095243F		0_2_0095243F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00959824		0_2_00959824
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0096282D		0_2_0096282D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00953228		0_2_00953228
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0096EA55		0_2_0096EA55
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00956453		0_2_00956453
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0095CE5A		0_2_0095CE5A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00967445		0_2_00967445
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00963043		0_2_00963043
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0095AE43		0_2_0095AE43
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0095544C		0_2_0095544C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0095AA4E		0_2_0095AA4E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0096B677		0_2_0096B677
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0095387F		0_2_0095387F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0095FA78		0_2_0095FA78
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0095B464		0_2_0095B464
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0095EE60		0_2_0095EE60
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00953A6C		0_2_00953A6C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00956869		0_2_00956869
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00957795		0_2_00957795
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0095B191		0_2_0095B191
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00961591		0_2_00961591
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0096DB87		0_2_0096DB87
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00954B81		0_2_00954B81
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00963782		0_2_00963782
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00958D80		0_2_00958D80
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0095358B		0_2_0095358B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0096E3B5		0_2_0096E3B5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0096D7BE		0_2_0096D7BE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009559BF		0_2_009559BF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009543BE		0_2_009543BE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009685B8		0_2_009685B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0096E5A7		0_2_0096E5A7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00960BA4		0_2_00960BA4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0096DDA5		0_2_0096DDA5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009689A2		0_2_009689A2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009575D2		0_2_009575D2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009519C0		0_2_009519C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0095A3E7		0_2_0095A3E7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009551EC		0_2_009551EC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0096EDED		0_2_0096EDED
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0095CB13		0_2_0095CB13
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00954D1E		0_2_00954D1E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0096590E		0_2_0096590E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00963D0C		0_2_00963D0C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0096BF0C		0_2_0096BF0C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0096970A		0_2_0096970A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0096E10A		0_2_0096E10A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0096CD35		0_2_0096CD35
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0095F73B		0_2_0095F73B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00969124		0_2_00969124
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0095A92F		0_2_0095A92F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00966540		0_2_00966540
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00970370		0_2_00970370
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0095BD61		0_2_0095BD61
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0095CF6E		0_2_0095CF6E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4A9F10		0_2_6E4A9F10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4A77B4		0_2_6E4A77B4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4AD530		0_2_6E4AD530
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4A1DE0		0_2_6E4A1DE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4A3A90		0_2_6E4A3A90
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4B0380		0_2_6E4B0380
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4BE3A1		0_2_6E4BE3A1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4A6070		0_2_6E4A6070
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4B10C0		0_2_6E4B10C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4AA890		0_2_6E4AA890
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4AE890		0_2_6E4AE890
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4A68B0		0_2_6E4A68B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4A9F10		3_2_6E4A9F10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4A77B4		3_2_6E4A77B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4AD530		3_2_6E4AD530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4A1DE0		3_2_6E4A1DE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4A3A90		3_2_6E4A3A90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4B0380		3_2_6E4B0380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4BE3A1		3_2_6E4BE3A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4A6070		3_2_6E4A6070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4B10C0		3_2_6E4B10C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4AA890		3_2_6E4AA890
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4AE890		3_2_6E4AE890
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4A68B0		3_2_6E4A68B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00D01291		4_2_00D01291
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CFEA55		4_2_00CFEA55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CF10CD		4_2_00CF10CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00D01CDB		4_2_00D01CDB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CE2CC2		4_2_00CE2CC2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CE92C1		4_2_00CE92C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CE90D4		4_2_00CE90D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CF28D5		4_2_00CF28D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CF52D1		4_2_00CF52D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00D020CE		4_2_00D020CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CEC0EA		4_2_00CEC0EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CF56E9		4_2_00CF56E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CF40FE		4_2_00CF40FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CE46FA		4_2_00CE46FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CE1EFB		4_2_00CE1EFB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CF62F5		4_2_00CF62F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CF4CF5		4_2_00CF4CF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CE84F0		4_2_00CE84F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CEF48A		4_2_00CEF48A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CEA083		4_2_00CEA083
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CEFE9D		4_2_00CEFE9D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CFA29B		4_2_00CFA29B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CF009A		4_2_00CF009A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CFE899		4_2_00CFE899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CF0E97		4_2_00CF0E97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CF0A93		4_2_00CF0A93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CFCE90		4_2_00CFCE90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CEAA4E		4_2_00CEAA4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CE544C		4_2_00CE544C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CF7445		4_2_00CF7445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CF3043		4_2_00CF3043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CEAE43		4_2_00CEAE43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CECE5A		4_2_00CECE5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CE6453		4_2_00CE6453
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CE3A6C		4_2_00CE3A6C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CE6869		4_2_00CE6869
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CEB464		4_2_00CEB464
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CEEE60		4_2_00CEEE60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CE387F		4_2_00CE387F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CEFA78		4_2_00CEFA78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CFB677		4_2_00CFB677
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CE800A		4_2_00CE800A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CFC205		4_2_00CFC205
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00D0261E		4_2_00D0261E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CF282D		4_2_00CF282D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CE3228		4_2_00CE3228
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CE9824		4_2_00CE9824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CE243F		4_2_00CE243F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CE3432		4_2_00CE3432
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CE19C0		4_2_00CE19C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CE75D2		4_2_00CE75D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CFEDED		4_2_00CFEDED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CE51EC		4_2_00CE51EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CEA3E7		4_2_00CEA3E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CE358B		4_2_00CE358B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CFDB87		4_2_00CFDB87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CF3782		4_2_00CF3782
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CE8D80		4_2_00CE8D80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CE4B81		4_2_00CE4B81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CE7795		4_2_00CE7795
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CF1591		4_2_00CF1591
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CEB191		4_2_00CEB191
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CFE5A7		4_2_00CFE5A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CFDDA5		4_2_00CFDDA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CF0BA4		4_2_00CF0BA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CF89A2		4_2_00CF89A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CE43BE		4_2_00CE43BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CE59BF		4_2_00CE59BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CFD7BE		4_2_00CFD7BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CF85B8		4_2_00CF85B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CFE3B5		4_2_00CFE3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CF6540		4_2_00CF6540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00D00370		4_2_00D00370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CECF6E		4_2_00CECF6E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CEBD61		4_2_00CEBD61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CF590E		4_2_00CF590E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CF3D0C		4_2_00CF3D0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CFBF0C		4_2_00CFBF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CF970A		4_2_00CF970A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CFE10A		4_2_00CFE10A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CE4D1E		4_2_00CE4D1E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CECB13		4_2_00CECB13
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CEA92F		4_2_00CEA92F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CF9124		4_2_00CF9124
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CEF73B		4_2_00CEF73B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CFCD35		4_2_00CFCD35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DD1291		8_2_02DD1291
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DCEA55		8_2_02DCEA55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DD1CDB		8_2_02DD1CDB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DC28D5		8_2_02DC28D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DC52D1		8_2_02DC52D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DB90D4		8_2_02DB90D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DC10CD		8_2_02DC10CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DD20CE		8_2_02DD20CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DB2CC2		8_2_02DB2CC2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DB92C1		8_2_02DB92C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DB1EFB		8_2_02DB1EFB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DB46FA		8_2_02DB46FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DC40FE		8_2_02DC40FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DC62F5		8_2_02DC62F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DC4CF5		8_2_02DC4CF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DB84F0		8_2_02DB84F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DBC0EA		8_2_02DBC0EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DC56E9		8_2_02DC56E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DCE899		8_2_02DCE899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DBFE9D		8_2_02DBFE9D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DCA29B		8_2_02DCA29B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DC0E97		8_2_02DC0E97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DCCE90		8_2_02DCCE90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DC0A93		8_2_02DC0A93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DBF48A		8_2_02DBF48A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DBA083		8_2_02DBA083
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DBCE5A		8_2_02DBCE5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DB6453		8_2_02DB6453
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DBAA4E		8_2_02DBAA4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DB544C		8_2_02DB544C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DBAE43		8_2_02DBAE43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DC7445		8_2_02DC7445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DC3043		8_2_02DC3043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DBFA78		8_2_02DBFA78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DB387F		8_2_02DB387F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DCB677		8_2_02DCB677
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DB6869		8_2_02DB6869
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DB3A6C		8_2_02DB3A6C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DBEE60		8_2_02DBEE60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DBB464		8_2_02DBB464
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DD261E		8_2_02DD261E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DB800A		8_2_02DB800A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DCC205		8_2_02DCC205
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DB243F		8_2_02DB243F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DB3432		8_2_02DB3432
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DC282D		8_2_02DC282D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DB3228		8_2_02DB3228
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DB9824		8_2_02DB9824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DB75D2		8_2_02DB75D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DB19C0		8_2_02DB19C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DCEDED		8_2_02DCEDED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DB51EC		8_2_02DB51EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DBA3E7		8_2_02DBA3E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DBB191		8_2_02DBB191
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DC1591		8_2_02DC1591
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DB7795		8_2_02DB7795
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DB358B		8_2_02DB358B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DB4B81		8_2_02DB4B81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DCDB87		8_2_02DCDB87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DB8D80		8_2_02DB8D80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DC3782		8_2_02DC3782
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DCD7BE		8_2_02DCD7BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DC85B8		8_2_02DC85B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DB59BF		8_2_02DB59BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DB43BE		8_2_02DB43BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DCE3B5		8_2_02DCE3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DC0BA4		8_2_02DC0BA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DCDDA5		8_2_02DCDDA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DCE5A7		8_2_02DCE5A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DC89A2		8_2_02DC89A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DC6540		8_2_02DC6540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DD0370		8_2_02DD0370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DBCF6E		8_2_02DBCF6E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DBBD61		8_2_02DBBD61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DB4D1E		8_2_02DB4D1E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DBCB13		8_2_02DBCB13
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DC3D0C		8_2_02DC3D0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DCBF0C		8_2_02DCBF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DC590E		8_2_02DC590E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DC970A		8_2_02DC970A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DCE10A		8_2_02DCE10A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DBF73B		8_2_02DBF73B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DCCD35		8_2_02DCCD35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DBA92F		8_2_02DBA92F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DC9124		8_2_02DC9124

Found potential string decryption / allocating functions

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6E4BAC90 appears 33 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6E4A1DE0 appears 97 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E4BAC90 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E4A1DE0 appears 97 times

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Sample is known by Antivirus

Source: nhlHEF5IVY.dll	Virustotal: Detection: 21%
Source: nhlHEF5IVY.dll	ReversingLabs: Detection: 17%

PE file has an executable .text section and no other executable section

Source: nhlHEF5IVY.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nhlHEF5IVY.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nhlHEF5IVY.dll,ajkaibu
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nhlHEF5IVY.dll,akyncbgollmj
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kaxguqlsqyxr\izodilcglz.tnb",ftpxGYjL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6640 -ip 6640
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 320
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6640 -ip 6640
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 340
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kaxguqlsqyxr\izodilcglz.tnb",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nhlHEF5IVY.dll,Control_RunDLL			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nhlHEF5IVY.dll,ajkaibu			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nhlHEF5IVY.dll,akyncbgollmj			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",#1			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kaxguqlsqyxr\izodilcglz.tnb",ftpxGYjL			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",Control_RunDLL			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",Control_RunDLL			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",Control_RunDLL			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kaxguqlsqyxr\izodilcglz.tnb",Control_RunDLL			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6640 -ip 6640			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 320			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6640 -ip 6640			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 340			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Creates temporary files

Source: C:\Windows\System32\svchost.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DED.tmp

Jump to behavior

Classification label

Source: classification engine

Classification label: mal84.troj.evad.winDLL@36/14@0/1

Reads ini files

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Runs a DLL by calling functions

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nhlHEF5IVY.dll,Control_RunDLL

Creates mutexes

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:6152:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6640
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:6028:64:WilError_01

Reads the hosts file

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Found GUI installer (many successful clicks)

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: nhlHEF5IVY.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Source: nhlHEF5IVY.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000E.00000003.915279800.00000000050C5000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915335337.00000000036C1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915454773.00000000036C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915459206.00000000036C7000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915340001.00000000036C7000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915541227.00000000036C7000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000E.00000003.915459206.00000000036C7000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915340001.00000000036C7000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915541227.00000000036C7000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000E.00000003.915330304.00000000036BB000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915597745.00000000036BB000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000E.00000003.915335337.00000000036C1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915454773.00000000036C1000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: a[ojr^oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000E.00000002.924793134.0000000001082000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000E.00000003.917352625.00000000054C1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.936734757.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000E.00000003.915330304.00000000036BB000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.915597745.00000000036BB000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009513E7 push esi; retf		0_2_009513F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4C6A93 push ecx; ret		0_2_6E4C6AA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4C6A93 push ecx; ret		3_2_6E4C6AA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CE13E7 push esi; retf		4_2_00CE13F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DB13E7 push esi; retf		8_2_02DB13F0

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4AE690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,

0_2_6E4AE690

Persistence and Installation Behavior:

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Kaxguqlsqyxr\izodilcglz.tnb

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Kaxguqlsqyxr\izodilcglz.tnb:Zone.Identifier read attributes | delete

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 3984

Thread sleep time: -150000s >= -30000s

Queries a list of all running processes

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4C0927 FindFirstFileExW,		0_2_6E4C0927
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4C0927 FindFirstFileExW,		3_2_6E4C0927

Checks the free space of harddrives

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: Amcache.hve.14.dr	Binary or memory string: VMware
Source: Amcache.hve.14.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.14.dr	Binary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
Source: Amcache.hve.14.dr	Binary or memory string: VMware, Inc.
Source: svchost.exe, 0000001B.00000002.1152934438.0000024B21081000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1152331401.0000024B21081000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWp
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.14.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.14.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.14.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 00000011.00000003.959043539.00000000053DB000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000002.960574300.00000000053DD000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWjv59
Source: WerFault.exe, 00000011.00000003.959043539.00000000053DB000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000002.960574300.00000000053DD000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000002.960375821.0000000003568000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000003.1146058499.00000000034BA000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000002.1183844764.00000000034BA000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000002.1183823263.0000000003496000.00000004.00000020.sdmp, svchost.exe, 0000001B.00000002.1153046299.0000024B210EC000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.14.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.14.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.14.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.14.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4BAB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6E4BAB0C

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4AE690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,

0_2_6E4AE690

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4A1290 GetProcessHeap,HeapAlloc,RtlAllocateHeap,HeapFree,

0_2_6E4A1290

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009607D2 mov eax, dword ptr fs:[00000030h]		0_2_009607D2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4B9990 mov eax, dword ptr fs:[00000030h]		0_2_6E4B9990
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4BEC0B mov ecx, dword ptr fs:[00000030h]		0_2_6E4BEC0B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4C02CC mov eax, dword ptr fs:[00000030h]		0_2_6E4C02CC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4B9920 mov esi, dword ptr fs:[00000030h]		0_2_6E4B9920
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4B9920 mov eax, dword ptr fs:[00000030h]		0_2_6E4B9920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4B9990 mov eax, dword ptr fs:[00000030h]		3_2_6E4B9990
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4BEC0B mov ecx, dword ptr fs:[00000030h]		3_2_6E4BEC0B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4C02CC mov eax, dword ptr fs:[00000030h]		3_2_6E4C02CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4B9920 mov esi, dword ptr fs:[00000030h]		3_2_6E4B9920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4B9920 mov eax, dword ptr fs:[00000030h]		3_2_6E4B9920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00CF07D2 mov eax, dword ptr fs:[00000030h]		4_2_00CF07D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02DC07D2 mov eax, dword ptr fs:[00000030h]		8_2_02DC07D2

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_009628D5 LdrInitializeThunk,

0_2_009628D5

Contains functionality to register its own exception handler

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4BA462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_6E4BA462
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4BAB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_6E4BAB0C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4C0326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_6E4C0326
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4BA462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		3_2_6E4BA462
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4BAB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		3_2_6E4BAB0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4C0326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		3_2_6E4C0326

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 45.63.5.129 187

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nhlHEF5IVY.dll",#1			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6640 -ip 6640			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 320			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6640 -ip 6640			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 340			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: loaddll32.exe, 00000000.00000000.927769327.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.926970530.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.910263558.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.911293400.0000000001250000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000002.1184012844.00000000038F0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000000.927769327.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.926970530.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.910263558.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.911293400.0000000001250000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000002.1184012844.00000000038F0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.927769327.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.926970530.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.910263558.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.911293400.0000000001250000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000002.1184012844.00000000038F0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.927769327.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.926970530.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.910263558.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.911293400.0000000001250000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000002.1184012844.00000000038F0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\rundll32.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4BA584 cpuid

0_2_6E4BA584

Queries the cryptographic machine GUID

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Contains functionality to query local / system time

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4BA755 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6E4BA755

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.14.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 0.2.loaddll32.exe.c13908.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.950000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.c13908.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.950000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.950000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.3053568.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.950000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.3053568.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.c13908.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.952240.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.950000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2e60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.c13908.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.a60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.c13908.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.9f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.952240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.950000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.33c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.ce0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.c13908.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.ce0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.a60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.950000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.c13908.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.c42240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.950000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.9f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.c13908.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.c13908.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.950000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.950000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.c13908.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.c42240.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2e60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.31734a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.33c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.31734a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2db0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.901292437.00000000009F0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.911134147.0000000000950000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1183708651.00000000033C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.911209239.0000000000BFB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.961859144.0000000000950000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.907559664.000000000315A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1013887623.0000000002DB0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1014042657.000000000303A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.927676600.0000000000BFB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.885371581.0000000000CE0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.926867950.0000000000950000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.908120712.0000000002E60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.927582691.0000000000950000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.908789818.0000000000A60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.907514993.0000000000C2A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.910127434.0000000000BFB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.857679684.0000000000AFB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.909739396.0000000000950000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.908758600.000000000093A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1123003346.000000000348B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.926918217.0000000000BFB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.962136592.0000000000BFB000.00000004.00000020.sdmp, type: MEMORY