Windows Analysis Report 7MhGa3iotM

Overview

General Information

Sample Name: 7MhGa3iotM (renamed file extension from none to dll)
Analysis ID: 553129
MD5: 752a2613b2b71fc1b99eb611024cc312
SHA1: 7d59cf93d7b7644119b4f2b3742a40f9960c7ca5
SHA256: 2df1bd696a635b1dd0c2aec6a20b12148ccc17023be88a6fa1701896a99e2db0
Tags: 32dllexetrojan
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 13.2.rundll32.exe.4fa0000.12.raw.unpack Malware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}
Multi AV Scanner detection for submitted file
Source: 7MhGa3iotM.dll Virustotal: Detection: 29% Perma Link
Source: 7MhGa3iotM.dll ReversingLabs: Detection: 41%
Machine Learning detection for sample
Source: 7MhGa3iotM.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: 7MhGa3iotM.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.3:49746 -> 45.138.98.34:80
Source: Traffic Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.3:49747 -> 69.16.218.101:8080
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 69.16.218.101 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.138.98.34 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 45.138.98.34:80
Source: Malware configuration extractor IPs: 69.16.218.101:8080
Source: Malware configuration extractor IPs: 51.210.242.234:8080
Source: Malware configuration extractor IPs: 185.148.168.220:8080
Source: Malware configuration extractor IPs: 142.4.219.173:8080
Source: Malware configuration extractor IPs: 54.38.242.185:443
Source: Malware configuration extractor IPs: 191.252.103.16:80
Source: Malware configuration extractor IPs: 104.131.62.48:8080
Source: Malware configuration extractor IPs: 62.171.178.147:8080
Source: Malware configuration extractor IPs: 217.182.143.207:443
Source: Malware configuration extractor IPs: 168.197.250.14:80
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 66.42.57.149:443
Source: Malware configuration extractor IPs: 210.57.209.142:8080
Source: Malware configuration extractor IPs: 159.69.237.188:443
Source: Malware configuration extractor IPs: 116.124.128.206:8080
Source: Malware configuration extractor IPs: 128.199.192.135:8080
Source: Malware configuration extractor IPs: 195.154.146.35:443
Source: Malware configuration extractor IPs: 185.148.168.15:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 207.148.81.119:8080
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 190.90.233.66:443
Source: Malware configuration extractor IPs: 78.46.73.125:443
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 37.59.209.141:8080
Source: Malware configuration extractor IPs: 54.37.228.122:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View IP Address: 104.131.62.48 104.131.62.48
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49747 -> 69.16.218.101:8080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 12
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: svchost.exe, 00000014.00000003.394252617.000001B9FBF8C000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
Source: svchost.exe, 00000014.00000003.394252617.000001B9FBF8C000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
Source: svchost.exe, 00000014.00000003.394269231.000001B9FBF9D000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.394252617.000001B9FBF8C000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000014.00000003.394269231.000001B9FBF9D000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.394252617.000001B9FBF8C000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000014.00000003.394252617.000001B9FBF8C000.00000004.00000001.sdmp String found in binary or memory: rings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"level
Source: svchost.exe, 00000014.00000003.394252617.000001B9FBF8C000.00000004.00000001.sdmp String found in binary or memory: rings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"level
Source: svchost.exe, 00000014.00000002.409679137.000001B9FB6E9000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000014.00000002.409679137.000001B9FB6E9000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: rundll32.exe, 0000000D.00000003.326561339.0000000005262000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/
Source: rundll32.exe, 0000000D.00000003.326561339.0000000005262000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/.1
Source: 77EC63BDA74BD0D0E0426DC8F80085060.13.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 00000014.00000003.390495752.000001B9FBF7F000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390514239.000001B9FBFC0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390575463.000001B9FBFA0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390534738.000001B9FBFC0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390606876.000001B9FBF5D000.00000004.00000001.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000014.00000003.390495752.000001B9FBF7F000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390514239.000001B9FBFC0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390575463.000001B9FBFA0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390534738.000001B9FBFC0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390606876.000001B9FBF5D000.00000004.00000001.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000014.00000003.390495752.000001B9FBF7F000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390514239.000001B9FBFC0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390575463.000001B9FBFA0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390534738.000001B9FBFC0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390606876.000001B9FBF5D000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000014.00000003.390495752.000001B9FBF7F000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390514239.000001B9FBFC0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390575463.000001B9FBFA0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390534738.000001B9FBFC0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390606876.000001B9FBF5D000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000014.00000003.391292817.000001B9FBF7B000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.391452171.000001B9FBF7B000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_100012D0 recvfrom, 5_2_100012D0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000002.00000002.294900679.00000000010EB000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 5_2_1000FF59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 6_2_1000FF59

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 13.2.rundll32.exe.53a0000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4ec0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.54f0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2d50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4ef0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5390000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5520000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4e90000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4ac0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.43d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4a90000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5580000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4fa0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5620000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4c50000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.51a0000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4d30000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4d90000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5280000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.56b0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4fa0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5280000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5550000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.56b0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4fd0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2d50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4af0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.53a0000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4480000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.4a40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.3430000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.50f0000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4e60000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.53d0000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.52e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.51a0000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5620000.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.43c0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4d00000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4af0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2990000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.50c0000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5550000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.4a70000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.4e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.3430000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.54f0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.50c0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.4e30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.4e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.51d0000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.850000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.53c0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4a90000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4d00000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4e60000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4c20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.45d0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4c20000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.56e0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.880000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4990000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5390000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4ec0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.49c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.4a40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.850000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4b20000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4990000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5650000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.298606993.00000000056B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.294428773.0000000004E31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.815959143.0000000004E91000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.298670924.00000000056E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.816961696.00000000050F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.297938888.00000000052E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.814399683.0000000002D50000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.815700731.0000000004D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.815587816.0000000004C51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.817960495.0000000005651000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.298239999.00000000054F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.297817521.0000000004AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.297755557.0000000004AC1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.815509685.0000000004C20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.297710814.0000000004A90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.295787483.0000000000850000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.301385832.0000000004A71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.815776896.0000000004D31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.817419709.00000000051D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.297893846.0000000005280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.298028546.0000000005390000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.298441375.0000000005550000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.297464641.0000000003430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.294757561.00000000043D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.816312049.0000000004FD1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.297638381.00000000049C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.298510030.0000000005581000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.816141431.0000000004EF1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.814627918.00000000043C1000.00000020.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.297863633.0000000004B21000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.816054659.0000000004EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.814701416.0000000004480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.294337664.0000000004E00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.297583118.0000000004990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.816243405.0000000004FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.301361900.0000000004A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.297668150.0000000004D91000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.294482062.0000000002990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.817244449.00000000051A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.298093850.00000000053C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.295818674.0000000000881000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.815880931.0000000004E60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.817694741.00000000053A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.817922483.0000000005620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.816664369.00000000050C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.815012363.00000000045D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.817778819.00000000053D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.298383199.0000000005521000.00000020.00000001.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: 7MhGa3iotM.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Kgiezrb\edgitxrppqaf.tym:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Kgiezrb\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_10020011 5_2_10020011
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_100181CA 5_2_100181CA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_1001929D 5_2_1001929D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_1002542D 5_2_1002542D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_100274AE 5_2_100274AE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_10026575 5_2_10026575
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_1001869D 5_2_1001869D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_1001178A 5_2_1001178A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_10016860 5_2_10016860
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_1002596F 5_2_1002596F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_10022A5C 5_2_10022A5C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_10018A71 5_2_10018A71
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_1001AAB7 5_2_1001AAB7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_1001CB16 5_2_1001CB16
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_10018E7D 5_2_10018E7D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_10025EB1 5_2_10025EB1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E485FF 5_2_04E485FF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E4EFDD 5_2_04E4EFDD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E4E4E5 5_2_04E4E4E5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E4CCD9 5_2_04E4CCD9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E31CA1 5_2_04E31CA1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E4A474 5_2_04E4A474
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E4DC71 5_2_04E4DC71
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E37442 5_2_04E37442
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E3A445 5_2_04E3A445
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E33431 5_2_04E33431
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E49DF5 5_2_04E49DF5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E355FF 5_2_04E355FF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E4C5D5 5_2_04E4C5D5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E3C5D8 5_2_04E3C5D8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E43D85 5_2_04E43D85
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E4654A 5_2_04E4654A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E52D53 5_2_04E52D53
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E47D5B 5_2_04E47D5B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E48D3D 5_2_04E48D3D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E4AD08 5_2_04E4AD08
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E45515 5_2_04E45515
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E53EE9 5_2_04E53EE9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E4BEFD 5_2_04E4BEFD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E43EAA 5_2_04E43EAA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E536AA 5_2_04E536AA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E40EBC 5_2_04E40EBC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E546BD 5_2_04E546BD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E3C6B8 5_2_04E3C6B8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E3DE74 5_2_04E3DE74
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E37E79 5_2_04E37E79
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E4567B 5_2_04E4567B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E3E640 5_2_04E3E640
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E42E5D 5_2_04E42E5D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E38636 5_2_04E38636
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E467E6 5_2_04E467E6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E3E7DE 5_2_04E3E7DE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E377A3 5_2_04E377A3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E48FAE 5_2_04E48FAE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E507AA 5_2_04E507AA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E517BD 5_2_04E517BD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E357B8 5_2_04E357B8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E3BFBE 5_2_04E3BFBE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E40F86 5_2_04E40F86
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E44F74 5_2_04E44F74
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E49774 5_2_04E49774
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E45779 5_2_04E45779
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E4FF58 5_2_04E4FF58
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E31F38 5_2_04E31F38
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E3670B 5_2_04E3670B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E3EF0C 5_2_04E3EF0C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E3F0E9 5_2_04E3F0E9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E500EF 5_2_04E500EF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E380C0 5_2_04E380C0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E4D8DB 5_2_04E4D8DB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E3A871 5_2_04E3A871
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E37078 5_2_04E37078
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E4F840 5_2_04E4F840
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E3B820 5_2_04E3B820
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E48806 5_2_04E48806
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E52009 5_2_04E52009
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E4E1F8 5_2_04E4E1F8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E4D1BC 5_2_04E4D1BC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E46187 5_2_04E46187
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E32194 5_2_04E32194
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E4017B 5_2_04E4017B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E42142 5_2_04E42142
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E3D14C 5_2_04E3D14C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E4E955 5_2_04E4E955
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E4CAD5 5_2_04E4CAD5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E4A2A5 5_2_04E4A2A5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E3BAA9 5_2_04E3BAA9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E40ABA 5_2_04E40ABA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E50A64 5_2_04E50A64
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E44A66 5_2_04E44A66
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E53263 5_2_04E53263
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E44244 5_2_04E44244
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E4B257 5_2_04E4B257
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E49A01 5_2_04E49A01
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E47A0F 5_2_04E47A0F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E34BFC 5_2_04E34BFC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E3FB8E 5_2_04E3FB8E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E3238C 5_2_04E3238C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E3F369 5_2_04E3F369
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E36B7A 5_2_04E36B7A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E45333 5_2_04E45333
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E52B09 5_2_04E52B09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10020011 6_2_10020011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100181CA 6_2_100181CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001929D 6_2_1001929D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1002542D 6_2_1002542D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100274AE 6_2_100274AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10026575 6_2_10026575
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001869D 6_2_1001869D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001178A 6_2_1001178A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10016860 6_2_10016860
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1002596F 6_2_1002596F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10022A5C 6_2_10022A5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10018A71 6_2_10018A71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001AAB7 6_2_1001AAB7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001CB16 6_2_1001CB16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10018E7D 6_2_10018E7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10025EB1 6_2_10025EB1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043E85FF 6_2_043E85FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043EEFDD 6_2_043EEFDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043D3431 6_2_043D3431
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043EA474 6_2_043EA474
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043EDC71 6_2_043EDC71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043DA445 6_2_043DA445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043D7442 6_2_043D7442
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043D1CA1 6_2_043D1CA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043EE4E5 6_2_043EE4E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043ECCD9 6_2_043ECCD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043E8D3D 6_2_043E8D3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043E5515 6_2_043E5515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043EAD08 6_2_043EAD08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043E7D5B 6_2_043E7D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043F2D53 6_2_043F2D53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043E654A 6_2_043E654A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043E3D85 6_2_043E3D85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043D55FF 6_2_043D55FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043E9DF5 6_2_043E9DF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043DC5D8 6_2_043DC5D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043EC5D5 6_2_043EC5D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043D8636 6_2_043D8636
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043D7E79 6_2_043D7E79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043E567B 6_2_043E567B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043DDE74 6_2_043DDE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043E2E5D 6_2_043E2E5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043DE640 6_2_043DE640
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043E0EBC 6_2_043E0EBC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043F46BD 6_2_043F46BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043DC6B8 6_2_043DC6B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043E3EAA 6_2_043E3EAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043F36AA 6_2_043F36AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043EBEFD 6_2_043EBEFD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043F3EE9 6_2_043F3EE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043D1F38 6_2_043D1F38
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043DEF0C 6_2_043DEF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043D670B 6_2_043D670B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043E5779 6_2_043E5779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043E4F74 6_2_043E4F74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043E9774 6_2_043E9774
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043EFF58 6_2_043EFF58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043F17BD 6_2_043F17BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043DBFBE 6_2_043DBFBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043D57B8 6_2_043D57B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043E8FAE 6_2_043E8FAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043F07AA 6_2_043F07AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043D77A3 6_2_043D77A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043E0F86 6_2_043E0F86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043E67E6 6_2_043E67E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043DE7DE 6_2_043DE7DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043DB820 6_2_043DB820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043F2009 6_2_043F2009
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043E8806 6_2_043E8806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043D7078 6_2_043D7078
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043DA871 6_2_043DA871
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043EF840 6_2_043EF840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043F00EF 6_2_043F00EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043DF0E9 6_2_043DF0E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043ED8DB 6_2_043ED8DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043D80C0 6_2_043D80C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043E017B 6_2_043E017B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043EE955 6_2_043EE955
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043DD14C 6_2_043DD14C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043E2142 6_2_043E2142
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043ED1BC 6_2_043ED1BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043D2194 6_2_043D2194
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043E6187 6_2_043E6187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043EE1F8 6_2_043EE1F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043E7A0F 6_2_043E7A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043E9A01 6_2_043E9A01
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043E4A66 6_2_043E4A66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043F0A64 6_2_043F0A64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043F3263 6_2_043F3263
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043EB257 6_2_043EB257
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043E4244 6_2_043E4244
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043E0ABA 6_2_043E0ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043DBAA9 6_2_043DBAA9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043EA2A5 6_2_043EA2A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043ECAD5 6_2_043ECAD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043E5333 6_2_043E5333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043F2B09 6_2_043F2B09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043D6B7A 6_2_043D6B7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043DF369 6_2_043DF369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043D238C 6_2_043D238C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043DFB8E 6_2_043DFB8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043D4BFC 6_2_043D4BFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DAB257 8_2_04DAB257
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D9DE74 8_2_04D9DE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DA4A66 8_2_04DA4A66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DB2009 8_2_04DB2009
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DA7A0F 8_2_04DA7A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D98636 8_2_04D98636
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D9C5D8 8_2_04D9C5D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DAEFDD 8_2_04DAEFDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DA85FF 8_2_04DA85FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DB17BD 8_2_04DB17BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DAFF58 8_2_04DAFF58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DAE955 8_2_04DAE955
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DA654A 8_2_04DA654A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DA2142 8_2_04DA2142
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D9670B 8_2_04D9670B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DAAD08 8_2_04DAAD08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DAD8DB 8_2_04DAD8DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DACCD9 8_2_04DACCD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DACAD5 8_2_04DACAD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D980C0 8_2_04D980C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DABEFD 8_2_04DABEFD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D9F0E9 8_2_04D9F0E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DB3EE9 8_2_04DB3EE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DB00EF 8_2_04DB00EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DAE4E5 8_2_04DAE4E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DA0ABA 8_2_04DA0ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D9C6B8 8_2_04D9C6B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DB46BD 8_2_04DB46BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DA0EBC 8_2_04DA0EBC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DA3EAA 8_2_04DA3EAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D9BAA9 8_2_04D9BAA9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DB36AA 8_2_04DB36AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D91CA1 8_2_04D91CA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DAA2A5 8_2_04DAA2A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DA2E5D 8_2_04DA2E5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D9E640 8_2_04D9E640
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DAF840 8_2_04DAF840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D97442 8_2_04D97442
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D9A445 8_2_04D9A445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DA4244 8_2_04DA4244
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D97E79 8_2_04D97E79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D97078 8_2_04D97078
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DA567B 8_2_04DA567B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D9A871 8_2_04D9A871
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DADC71 8_2_04DADC71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DAA474 8_2_04DAA474
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DB3263 8_2_04DB3263
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DB0A64 8_2_04DB0A64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DA9A01 8_2_04DA9A01
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DA8806 8_2_04DA8806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D93431 8_2_04D93431
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D9B820 8_2_04D9B820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DAFBDE 8_2_04DAFBDE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D9E7DE 8_2_04D9E7DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DAC5D5 8_2_04DAC5D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DAE1F8 8_2_04DAE1F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DA27F9 8_2_04DA27F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D94BFC 8_2_04D94BFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D955FF 8_2_04D955FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DA07F4 8_2_04DA07F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DA9DF5 8_2_04DA9DF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DA67E6 8_2_04DA67E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D92194 8_2_04D92194
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D9238C 8_2_04D9238C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D9FB8E 8_2_04D9FB8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DA0F86 8_2_04DA0F86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DA6187 8_2_04DA6187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DA3D85 8_2_04DA3D85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D957B8 8_2_04D957B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DAD1BC 8_2_04DAD1BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D9BFBE 8_2_04D9BFBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DB07AA 8_2_04DB07AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DA8FAE 8_2_04DA8FAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D977A3 8_2_04D977A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DA7D5B 8_2_04DA7D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DB2D53 8_2_04DB2D53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D9D14C 8_2_04D9D14C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DA437A 8_2_04DA437A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DA017B 8_2_04DA017B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DA5779 8_2_04DA5779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D96B7A 8_2_04D96B7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DA4F74 8_2_04DA4F74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DA9774 8_2_04DA9774
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D9F369 8_2_04D9F369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DA5515 8_2_04DA5515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DB2B09 8_2_04DB2B09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D9EF0C 8_2_04D9EF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D91F38 8_2_04D91F38
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DA8D3D 8_2_04DA8D3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04DA5333 8_2_04DA5333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_008A2009 10_2_008A2009
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00897A0F 10_2_00897A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00888636 10_2_00888636
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0088A445 10_2_0088A445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00894A66 10_2_00894A66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0088DE74 10_2_0088DE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0088C5D8 10_2_0088C5D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0089EFDD 10_2_0089EFDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0089AD08 10_2_0089AD08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0088670B 10_2_0088670B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0089654A 10_2_0089654A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00892142 10_2_00892142
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0089FF58 10_2_0089FF58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_008A36AA 10_2_008A36AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0088BAA9 10_2_0088BAA9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00893EAA 10_2_00893EAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00881CA1 10_2_00881CA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0089A2A5 10_2_0089A2A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0088C6B8 10_2_0088C6B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00890ABA 10_2_00890ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00890EBC 10_2_00890EBC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_008A46BD 10_2_008A46BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_008880C0 10_2_008880C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0089CCD9 10_2_0089CCD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0089D8DB 10_2_0089D8DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0089CAD5 10_2_0089CAD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0088F0E9 10_2_0088F0E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_008A3EE9 10_2_008A3EE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_008A00EF 10_2_008A00EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0089E4E5 10_2_0089E4E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0089BEFD 10_2_0089BEFD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00899A01 10_2_00899A01
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00898806 10_2_00898806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0088B820 10_2_0088B820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00883431 10_2_00883431
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0088E640 10_2_0088E640
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0089F840 10_2_0089F840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00887442 10_2_00887442
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00894244 10_2_00894244
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00892E5D 10_2_00892E5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0089B257 10_2_0089B257
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_008A3263 10_2_008A3263
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_008A0A64 10_2_008A0A64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00887078 10_2_00887078
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00887E79 10_2_00887E79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0089567B 10_2_0089567B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0089DC71 10_2_0089DC71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0088A871 10_2_0088A871
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0089A474 10_2_0089A474
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0088238C 10_2_0088238C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0088FB8E 10_2_0088FB8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00893D85 10_2_00893D85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00896187 10_2_00896187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00890F86 10_2_00890F86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00882194 10_2_00882194
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_008A07AA 10_2_008A07AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00898FAE 10_2_00898FAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_008877A3 10_2_008877A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_008857B8 10_2_008857B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0089D1BC 10_2_0089D1BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0088BFBE 10_2_0088BFBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_008A17BD 10_2_008A17BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0088E7DE 10_2_0088E7DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0089FBDE 10_2_0089FBDE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0089C5D5 10_2_0089C5D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_008967E6 10_2_008967E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_008927F9 10_2_008927F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0089E1F8 10_2_0089E1F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00884BFC 10_2_00884BFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_008985FF 10_2_008985FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_008855FF 10_2_008855FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00899DF5 10_2_00899DF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_008907F4 10_2_008907F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_008A2B09 10_2_008A2B09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0088EF0C 10_2_0088EF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00895515 10_2_00895515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00881F38 10_2_00881F38
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00898D3D 10_2_00898D3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00895333 10_2_00895333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0088D14C 10_2_0088D14C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00897D5B 10_2_00897D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_008A2D53 10_2_008A2D53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0089E955 10_2_0089E955
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0088F369 10_2_0088F369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00895779 10_2_00895779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00886B7A 10_2_00886B7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0089017B 10_2_0089017B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0089437A 10_2_0089437A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00894F74 10_2_00894F74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00899774 10_2_00899774
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A885FF 12_2_04A885FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A8EFDD 12_2_04A8EFDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A83EAA 12_2_04A83EAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A936AA 12_2_04A936AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A71CA1 12_2_04A71CA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A8A2A5 12_2_04A8A2A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A7BAA9 12_2_04A7BAA9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A80ABA 12_2_04A80ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A946BD 12_2_04A946BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A80EBC 12_2_04A80EBC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A7C6B8 12_2_04A7C6B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A93EE9 12_2_04A93EE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A900EF 12_2_04A900EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A8E4E5 12_2_04A8E4E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A7F0E9 12_2_04A7F0E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A8BEFD 12_2_04A8BEFD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A780C0 12_2_04A780C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A8CCD9 12_2_04A8CCD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A8D8DB 12_2_04A8D8DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A8CAD5 12_2_04A8CAD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A7B820 12_2_04A7B820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A78636 12_2_04A78636
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A73431 12_2_04A73431
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A92009 12_2_04A92009
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A87A0F 12_2_04A87A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A89A01 12_2_04A89A01
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A88806 12_2_04A88806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A93263 12_2_04A93263
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A90A64 12_2_04A90A64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A84A66 12_2_04A84A66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A8567B 12_2_04A8567B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A7DE74 12_2_04A7DE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A7A871 12_2_04A7A871
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A8DC71 12_2_04A8DC71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A8A474 12_2_04A8A474
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A77E79 12_2_04A77E79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A77078 12_2_04A77078
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A7A445 12_2_04A7A445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A77442 12_2_04A77442
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A7E640 12_2_04A7E640
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A8F840 12_2_04A8F840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A84244 12_2_04A84244
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A82E5D 12_2_04A82E5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A8B257 12_2_04A8B257
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A907AA 12_2_04A907AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A777A3 12_2_04A777A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A88FAE 12_2_04A88FAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A8D1BC 12_2_04A8D1BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A917BD 12_2_04A917BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A7BFBE 12_2_04A7BFBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A757B8 12_2_04A757B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A7FB8E 12_2_04A7FB8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A7238C 12_2_04A7238C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A83D85 12_2_04A83D85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A80F86 12_2_04A80F86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A86187 12_2_04A86187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A72194 12_2_04A72194
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A867E6 12_2_04A867E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A8E1F8 12_2_04A8E1F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A755FF 12_2_04A755FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A74BFC 12_2_04A74BFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A89DF5 12_2_04A89DF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A7E7DE 12_2_04A7E7DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A8C5D5 12_2_04A8C5D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A7C5D8 12_2_04A7C5D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A88D3D 12_2_04A88D3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A85333 12_2_04A85333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A71F38 12_2_04A71F38
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A92B09 12_2_04A92B09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A8AD08 12_2_04A8AD08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A7EF0C 12_2_04A7EF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A7670B 12_2_04A7670B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A85515 12_2_04A85515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A7F369 12_2_04A7F369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A85779 12_2_04A85779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A8017B 12_2_04A8017B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A84F74 12_2_04A84F74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A89774 12_2_04A89774
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A76B7A 12_2_04A76B7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A8654A 12_2_04A8654A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A82142 12_2_04A82142
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A7D14C 12_2_04A7D14C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A8FF58 12_2_04A8FF58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A87D5B 12_2_04A87D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A92D53 12_2_04A92D53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A8E955 12_2_04A8E955
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10017BC1 appears 68 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 1001984C appears 48 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10017BC1 appears 68 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1001984C appears 48 times
Sample file is different than original file name gathered from version info
Source: 7MhGa3iotM.dll Binary or memory string: OriginalFilenameUDPTool.EXE: vs 7MhGa3iotM.dll
PE file contains strange resources
Source: 7MhGa3iotM.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: 7MhGa3iotM.dll Virustotal: Detection: 29%
Source: 7MhGa3iotM.dll ReversingLabs: Detection: 41%
Source: 7MhGa3iotM.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\7MhGa3iotM.dll"
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\7MhGa3iotM.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\7MhGa3iotM.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\7MhGa3iotM.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\7MhGa3iotM.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\7MhGa3iotM.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\7MhGa3iotM.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kgiezrb\edgitxrppqaf.tym",JFlwYpDQ
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kgiezrb\edgitxrppqaf.tym",DllRegisterServer
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\7MhGa3iotM.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\7MhGa3iotM.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\7MhGa3iotM.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\7MhGa3iotM.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\7MhGa3iotM.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\7MhGa3iotM.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kgiezrb\edgitxrppqaf.tym",JFlwYpDQ Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kgiezrb\edgitxrppqaf.tym",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@27/9@0/28
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\7MhGa3iotM.dll",#1
Source: C:\Windows\System32\SgrmBroker.exe Mutant created: \BaseNamedObjects\Local\SM0:7124:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5952:120:WilError_01
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_100126F9 FindResourceA,LoadResource,LockResource,FreeResource, 5_2_100126F9
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 7MhGa3iotM.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 7MhGa3iotM.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 7MhGa3iotM.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 7MhGa3iotM.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 7MhGa3iotM.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_10019891 push ecx; ret 5_2_100198A4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_10017C60 push ecx; ret 5_2_10017C73
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E408E0 push esp; iretd 5_2_04E408E3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E31195 push cs; iretd 5_2_04E31197
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10019891 push ecx; ret 6_2_100198A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10017C60 push ecx; ret 6_2_10017C73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043E08E0 push esp; iretd 6_2_043E08E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043D1195 push cs; iretd 6_2_043D1197
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D91195 push cs; iretd 8_2_04D91197
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00881195 push cs; iretd 10_2_00881197
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A808E0 push esp; iretd 12_2_04A808E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A71195 push cs; iretd 12_2_04A71197
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_10023A79 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 5_2_10023A79
PE file contains an invalid checksum
Source: 7MhGa3iotM.dll Static PE information: real checksum: 0x66354 should be: 0x6f58d
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\7MhGa3iotM.dll

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Kgiezrb\edgitxrppqaf.tym Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Kgiezrb\edgitxrppqaf.tym:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Fackxudzoi\jiileh.ane:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_1000D804 IsIconic,GetWindowPlacement,GetWindowRect, 5_2_1000D804
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_10008B90 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 5_2_10008B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000D804 IsIconic,GetWindowPlacement,GetWindowRect, 6_2_1000D804
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10008B90 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 6_2_10008B90
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\svchost.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6436 Thread sleep time: -150000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\regsvr32.exe API coverage: 4.6 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 4.9 %
Source: C:\Windows\SysWOW64\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000014.00000002.409679137.000001B9FB6E9000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.409043034.000001B9FB681000.00000004.00000001.sdmp, svchost.exe, 00000014.00000002.409605085.000001B9FB681000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000014.00000002.409626860.000001B9FB6A4000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW #h

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_1001C49A
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_10023A79 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 5_2_10023A79
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_100178B6 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,__initptd,GetCurrentThreadId,__freeptd, 5_2_100178B6
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_04E3F7F7 mov eax, dword ptr fs:[00000030h] 5_2_04E3F7F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_043DF7F7 mov eax, dword ptr fs:[00000030h] 6_2_043DF7F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_04D9F7F7 mov eax, dword ptr fs:[00000030h] 8_2_04D9F7F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0088F7F7 mov eax, dword ptr fs:[00000030h] 10_2_0088F7F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_04A7F7F7 mov eax, dword ptr fs:[00000030h] 12_2_04A7F7F7
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_1001C49A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_10021743 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_10021743
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_100167D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_100167D5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_1001FC21 SetUnhandledExceptionFilter,__encode_pointer, 5_2_1001FC21
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_1001FC43 __decode_pointer,SetUnhandledExceptionFilter, 5_2_1001FC43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_1001C49A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10021743 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_10021743
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100167D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_100167D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001FC21 SetUnhandledExceptionFilter,__encode_pointer, 6_2_1001FC21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001FC43 __decode_pointer,SetUnhandledExceptionFilter, 6_2_1001FC43

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 69.16.218.101 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.138.98.34 80 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\7MhGa3iotM.dll",#1 Jump to behavior
Source: svchost.exe, 00000001.00000002.813903951.0000017F37B90000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.814472998.0000000002FB0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: svchost.exe, 00000001.00000002.813903951.0000017F37B90000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.814472998.0000000002FB0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: svchost.exe, 00000001.00000002.813903951.0000017F37B90000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.814472998.0000000002FB0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: svchost.exe, 00000001.00000002.813903951.0000017F37B90000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.814472998.0000000002FB0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 5_2_10027704
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 5_2_1000A803
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA, 5_2_10023880
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 6_2_10027704
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 6_2_1000A803
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 6_2_10023880
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_10022853 cpuid 5_2_10022853
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_1001F914 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 5_2_1001F914
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_100178B6 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,__initptd,GetCurrentThreadId,__freeptd, 5_2_100178B6

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000003.00000002.813310517.00000187EE63D000.00000004.00000001.sdmp Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000003.00000002.813369976.00000187EE702000.00000004.00000001.sdmp Binary or memory string: Files%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000003.00000002.813228713.00000187EE613000.00000004.00000001.sdmp, svchost.exe, 00000003.00000002.813369976.00000187EE702000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 13.2.rundll32.exe.53a0000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4ec0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.54f0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2d50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4ef0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5390000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5520000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4e90000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4ac0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.43d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4a90000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5580000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4fa0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5620000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4c50000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.51a0000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4d30000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4d90000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5280000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.56b0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4fa0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5280000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5550000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.56b0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4fd0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2d50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4af0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.53a0000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4480000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.4a40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.3430000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.50f0000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4e60000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.53d0000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.52e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.51a0000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5620000.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.43c0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4d00000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4af0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2990000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.50c0000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5550000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.4a70000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.4e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.3430000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.54f0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.50c0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.4e30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.4e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.51d0000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.850000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.53c0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4a90000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4d00000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4e60000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4c20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.45d0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4c20000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.56e0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.880000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4990000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.5390000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4ec0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.49c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.4a40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.850000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4b20000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4990000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5650000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.298606993.00000000056B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.294428773.0000000004E31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.815959143.0000000004E91000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.298670924.00000000056E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.816961696.00000000050F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.297938888.00000000052E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.814399683.0000000002D50000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.815700731.0000000004D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.815587816.0000000004C51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.817960495.0000000005651000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.298239999.00000000054F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.297817521.0000000004AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.297755557.0000000004AC1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.815509685.0000000004C20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.297710814.0000000004A90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.295787483.0000000000850000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.301385832.0000000004A71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.815776896.0000000004D31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.817419709.00000000051D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.297893846.0000000005280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.298028546.0000000005390000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.298441375.0000000005550000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.297464641.0000000003430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.294757561.00000000043D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.816312049.0000000004FD1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.297638381.00000000049C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.298510030.0000000005581000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.816141431.0000000004EF1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.814627918.00000000043C1000.00000020.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.297863633.0000000004B21000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.816054659.0000000004EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.814701416.0000000004480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.294337664.0000000004E00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.297583118.0000000004990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.816243405.0000000004FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.301361900.0000000004A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.297668150.0000000004D91000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.294482062.0000000002990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.817244449.00000000051A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.298093850.00000000053C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.295818674.0000000000881000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.815880931.0000000004E60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.817694741.00000000053A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.817922483.0000000005620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.816664369.00000000050C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.815012363.00000000045D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.817778819.00000000053D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.298383199.0000000005521000.00000020.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_100011C0 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt, 5_2_100011C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100011C0 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt, 6_2_100011C0