Windows Analysis Report xxWrY2YG7s

Overview

General Information

Sample Name: xxWrY2YG7s (renamed file extension from none to dll)
Analysis ID: 553140
MD5: 9abf4d1ba2a69aa4188ced6fb4603521
SHA1: 96c629d97003101dc767dea1904906f0d1d397f1
SHA256: d3812d7714e2ef78ddeec78ccc9384d41dd3a36e61b2724b0da81833e750df58
Tags: 32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 7.2.rundll32.exe.c20000.1.unpack Malware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}
Multi AV Scanner detection for submitted file
Source: xxWrY2YG7s.dll Virustotal: Detection: 35% Perma Link
Source: xxWrY2YG7s.dll ReversingLabs: Detection: 41%
Antivirus detection for URL or domain
Source: https://45.138.98.34/ Avira URL Cloud: Label: malware
Source: https://45.138.98.34:80/agTEyDHCnXsPfzGXJQYZqenIQJ Avira URL Cloud: Label: malware
Source: https://45.138.98.34:80/agTEyDHCnXsPfzGXJQYZqenIQ Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: https://45.138.98.34/ Virustotal: Detection: 10% Perma Link
Machine Learning detection for sample
Source: xxWrY2YG7s.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: xxWrY2YG7s.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: Binary string: iphlpapi.pdb7 source: WerFault.exe, 0000000E.00000003.272371296.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272414115.0000000005408000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000E.00000003.272371296.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272414115.0000000005408000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdbM source: WerFault.exe, 0000000E.00000003.272371296.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272414115.0000000005408000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 0000000E.00000003.272371296.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272414115.0000000005408000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000E.00000003.272356173.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.297171798.0000000004741000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000E.00000003.272356173.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.267840034.0000000004F77000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.292394761.0000000002B65000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.297171798.0000000004741000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.292304746.0000000004489000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.293332674.0000000002B65000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000E.00000003.272371296.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272414115.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297296027.00000000048A8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297200362.00000000048A8000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000E.00000003.272363326.0000000005402000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297171798.0000000004741000.00000004.00000001.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000E.00000003.272371296.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272414115.0000000005408000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000E.00000003.272356173.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.297171798.0000000004741000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000E.00000003.272356173.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.297171798.0000000004741000.00000004.00000001.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 0000000E.00000003.272371296.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272414115.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297296027.00000000048A8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297200362.00000000048A8000.00000004.00000040.sdmp
Source: Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000E.00000002.281739906.00000000030A2000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000E.00000003.272409759.0000000005405000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272363326.0000000005402000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297190009.00000000048A2000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000E.00000003.272356173.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.293551321.0000000002B5F000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.297171798.0000000004741000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.292377523.0000000002B5F000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000E.00000003.272409759.0000000005405000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272363326.0000000005402000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297190009.00000000048A2000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb/ source: WerFault.exe, 0000000E.00000003.272371296.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272414115.0000000005408000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000E.00000003.272371296.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272414115.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297296027.00000000048A8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297200362.00000000048A8000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000014.00000003.297190009.00000000048A2000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000E.00000003.272356173.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.297171798.0000000004741000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000E.00000003.272356173.0000000005291000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000E.00000003.272404509.0000000005400000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297190009.00000000048A2000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb_ source: WerFault.exe, 0000000E.00000003.272371296.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272414115.0000000005408000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000E.00000003.272404509.0000000005400000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000E.00000003.272356173.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.297171798.0000000004741000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000E.00000003.272404509.0000000005400000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297190009.00000000048A2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297271185.00000000048A5000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000E.00000003.272356173.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.292410735.0000000002B6B000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.297171798.0000000004741000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.293341268.0000000002B6B000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.293486034.0000000002B6B000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000E.00000003.272371296.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272414115.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297296027.00000000048A8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297200362.00000000048A8000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000E.00000003.272363326.0000000005402000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000E.00000003.272404509.0000000005400000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297249058.00000000048A0000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000E.00000003.272404509.0000000005400000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000014.00000003.292410735.0000000002B6B000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.293341268.0000000002B6B000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.293486034.0000000002B6B000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000E.00000003.272356173.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.297171798.0000000004741000.00000004.00000001.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000E.00000003.272371296.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272414115.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297249058.00000000048A0000.00000004.00000040.sdmp
Source: Binary string: combase.pdbk source: WerFault.exe, 0000000E.00000003.272371296.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272414115.0000000005408000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000014.00000003.292394761.0000000002B65000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.293332674.0000000002B65000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000E.00000003.272371296.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272414115.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297249058.00000000048A0000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000E.00000003.272356173.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.297171798.0000000004741000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000E.00000003.272356173.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.297171798.0000000004741000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb) source: WerFault.exe, 0000000E.00000003.272371296.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272414115.0000000005408000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbk source: WerFault.exe, 00000014.00000003.297190009.00000000048A2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297271185.00000000048A5000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000014.00000003.293551321.0000000002B5F000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.292377523.0000000002B5F000.00000004.00000001.sdmp

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.5:49757 -> 45.138.98.34:80
Source: Traffic Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.5:49758 -> 69.16.218.101:8080
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 69.16.218.101 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.138.98.34 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 45.138.98.34:80
Source: Malware configuration extractor IPs: 69.16.218.101:8080
Source: Malware configuration extractor IPs: 51.210.242.234:8080
Source: Malware configuration extractor IPs: 185.148.168.220:8080
Source: Malware configuration extractor IPs: 142.4.219.173:8080
Source: Malware configuration extractor IPs: 54.38.242.185:443
Source: Malware configuration extractor IPs: 191.252.103.16:80
Source: Malware configuration extractor IPs: 104.131.62.48:8080
Source: Malware configuration extractor IPs: 62.171.178.147:8080
Source: Malware configuration extractor IPs: 217.182.143.207:443
Source: Malware configuration extractor IPs: 168.197.250.14:80
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 66.42.57.149:443
Source: Malware configuration extractor IPs: 210.57.209.142:8080
Source: Malware configuration extractor IPs: 159.69.237.188:443
Source: Malware configuration extractor IPs: 116.124.128.206:8080
Source: Malware configuration extractor IPs: 128.199.192.135:8080
Source: Malware configuration extractor IPs: 195.154.146.35:443
Source: Malware configuration extractor IPs: 185.148.168.15:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 207.148.81.119:8080
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 190.90.233.66:443
Source: Malware configuration extractor IPs: 78.46.73.125:443
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 37.59.209.141:8080
Source: Malware configuration extractor IPs: 54.37.228.122:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View IP Address: 104.131.62.48 104.131.62.48
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49758 -> 69.16.218.101:8080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 12
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: svchost.exe, 00000028.00000003.568532653.000002015079E000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000028.00000003.568532653.000002015079E000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000009.00000002.603510789.0000019B31285000.00000004.00000001.sdmp, rundll32.exe, 0000000D.00000003.301082272.0000000002ECB000.00000004.00000001.sdmp, rundll32.exe, 0000000D.00000002.777094062.0000000002ECB000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.314179715.0000000002AA7000.00000004.00000020.sdmp, svchost.exe, 00000028.00000002.587052307.0000020150700000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000009.00000002.603378937.0000019B31212000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.586862467.000002014FEEA000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: rundll32.exe, 0000000D.00000003.301082272.0000000002ECB000.00000004.00000001.sdmp, rundll32.exe, 0000000D.00000002.777094062.0000000002ECB000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: rundll32.exe, 0000000D.00000003.301082272.0000000002ECB000.00000004.00000001.sdmp, rundll32.exe, 0000000D.00000002.777094062.0000000002ECB000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.13.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 0000000D.00000003.297844982.0000000002EFD000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f8d063a50f656
Source: svchost.exe, 00000028.00000003.562839006.0000020150783000.00000004.00000001.sdmp, svchost.exe, 00000028.00000003.562986646.0000020150C02000.00000004.00000001.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: Amcache.hve.14.dr String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 00000013.00000002.312085484.0000027A38413000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000010.00000002.774390239.00000214CF244000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000010.00000002.774390239.00000214CF244000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: rundll32.exe, 0000000D.00000003.301116339.0000000002E84000.00000004.00000001.sdmp String found in binary or memory: https://45.138.98.34/
Source: rundll32.exe, 0000000D.00000002.776922125.0000000002E84000.00000004.00000020.sdmp, rundll32.exe, 0000000D.00000003.301116339.0000000002E84000.00000004.00000001.sdmp String found in binary or memory: https://45.138.98.34:80/agTEyDHCnXsPfzGXJQYZqenIQ
Source: rundll32.exe, 0000000D.00000002.776922125.0000000002E84000.00000004.00000020.sdmp, rundll32.exe, 0000000D.00000003.301116339.0000000002E84000.00000004.00000001.sdmp String found in binary or memory: https://45.138.98.34:80/agTEyDHCnXsPfzGXJQYZqenIQJ
Source: rundll32.exe, 0000000D.00000002.776922125.0000000002E84000.00000004.00000020.sdmp, rundll32.exe, 0000000D.00000003.301116339.0000000002E84000.00000004.00000001.sdmp String found in binary or memory: https://69.16.218.101/
Source: rundll32.exe, 0000000D.00000002.776922125.0000000002E84000.00000004.00000020.sdmp, rundll32.exe, 0000000D.00000003.301116339.0000000002E84000.00000004.00000001.sdmp String found in binary or memory: https://69.16.218.101/G
Source: rundll32.exe, 0000000D.00000003.301202943.0000000002EAB000.00000004.00000001.sdmp, rundll32.exe, 0000000D.00000003.301116339.0000000002E84000.00000004.00000001.sdmp, rundll32.exe, 0000000D.00000002.777016597.0000000002EAC000.00000004.00000020.sdmp String found in binary or memory: https://69.16.218.101:8080/NQbeMXcWTESmhJWzNZdRzYJrZhrGWdowCoKKXptrBDbOXrQJliSfIh
Source: rundll32.exe, 0000000D.00000002.776922125.0000000002E84000.00000004.00000020.sdmp, rundll32.exe, 0000000D.00000003.301116339.0000000002E84000.00000004.00000001.sdmp String found in binary or memory: https://69dl.windowsupdate.com/
Source: svchost.exe, 00000010.00000002.774390239.00000214CF244000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000013.00000003.311438363.0000027A38461000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000010.00000002.774260928.00000214CF229000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000010.00000002.774260928.00000214CF229000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000013.00000003.311483561.0000027A3845A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000013.00000003.311483561.0000027A3845A000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.312198397.0000027A3845C000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000013.00000003.311438363.0000027A38461000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000013.00000002.312150390.0000027A3843D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000013.00000003.311483561.0000027A3845A000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.312198397.0000027A3845C000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000013.00000002.312229553.0000027A3846A000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.311394350.0000027A38468000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000013.00000003.311438363.0000027A38461000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000013.00000002.312186482.0000027A3844F000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.311447296.0000027A38448000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.311592499.0000027A3844E000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000013.00000003.311483561.0000027A3845A000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.312198397.0000027A3845C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000013.00000003.311438363.0000027A38461000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000013.00000002.312150390.0000027A3843D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000013.00000003.311438363.0000027A38461000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000013.00000003.311438363.0000027A38461000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000013.00000003.311438363.0000027A38461000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000013.00000002.312164346.0000027A38442000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.311511119.0000027A38440000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.311547869.0000027A38441000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000013.00000002.312164346.0000027A38442000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.311511119.0000027A38440000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.311547869.0000027A38441000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000013.00000003.311438363.0000027A38461000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000013.00000003.311483561.0000027A3845A000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.311511119.0000027A38440000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.312198397.0000027A3845C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000028.00000003.562839006.0000020150783000.00000004.00000001.sdmp, svchost.exe, 00000028.00000003.562986646.0000020150C02000.00000004.00000001.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000013.00000003.311483561.0000027A3845A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000013.00000003.311483561.0000027A3845A000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.312198397.0000027A3845C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000013.00000003.311483561.0000027A3845A000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.312198397.0000027A3845C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000013.00000002.312220921.0000027A38465000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000013.00000003.311438363.0000027A38461000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000013.00000002.312150390.0000027A3843D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000013.00000003.311511119.0000027A38440000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000013.00000002.312150390.0000027A3843D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000013.00000002.312150390.0000027A3843D000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.312085484.0000027A38413000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000013.00000003.311511119.0000027A38440000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000013.00000003.311534393.0000027A38456000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000013.00000003.311511119.0000027A38440000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000013.00000002.312178210.0000027A38445000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.311511119.0000027A38440000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.311569587.0000027A38444000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.311547869.0000027A38441000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000013.00000002.312186482.0000027A3844F000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.311447296.0000027A38448000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.311592499.0000027A3844E000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 00000028.00000003.562839006.0000020150783000.00000004.00000001.sdmp, svchost.exe, 00000028.00000003.562986646.0000020150C02000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000028.00000003.562839006.0000020150783000.00000004.00000001.sdmp, svchost.exe, 00000028.00000003.562986646.0000020150C02000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000028.00000003.563954430.0000020150C02000.00000004.00000001.sdmp, svchost.exe, 00000028.00000003.563915691.0000020150796000.00000004.00000001.sdmp, svchost.exe, 00000028.00000003.563855715.0000020150796000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100012D0 recvfrom, 2_2_100012D0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.315277004.000000000153B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 2_2_1000FF59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 3_2_1000FF59

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 13.2.rundll32.exe.5120000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4850000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4ee0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4f10000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.b50000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.5240000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.47f0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5230000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2e20000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5430000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1500000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2f50000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5200000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.30f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.c20000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4eb0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1500000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4610000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5030000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.1500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4540000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5530000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.30c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.48d0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4d50000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.2f50000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.51b0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.50e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.47c0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4ae0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.2f50000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4ab0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.51e0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5560000.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.4ad0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4610000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4820000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4570000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1500000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.af0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.50b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.47c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.30c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1500000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2e20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5560000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.4ad0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1500000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4d50000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5500000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.1500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.2f50000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.d60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4540000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4660000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.b00000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5000000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5120000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.c10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4f10000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.ad0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5400000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.50b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5150000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4ab0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5200000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.4c30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1500000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5590000.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.5210000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4660000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.51b0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.2f50000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4eb0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4820000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4690000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.5210000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4d80000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4740000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.b50000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.ad0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.e60000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5000000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5500000.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4f40000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.304824769.00000000050E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.304733316.00000000050B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.305003073.00000000051E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.778909402.0000000005431000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.286552378.0000000001500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.263438129.0000000001500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.264383402.0000000004AE1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.288122197.0000000002F51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.253587065.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.778167159.0000000005000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.264309085.0000000004851000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.778579352.0000000005231000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.779222222.0000000005591000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.304040907.00000000030C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.778010320.0000000004EE1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.777944852.0000000004EB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.261789645.0000000002F51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.778445714.0000000005151000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.264108438.0000000004660000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.264358890.0000000004AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.253623838.0000000000E61000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.777650877.00000000048D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.305075397.0000000005210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.774608626.0000000000C11000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.263623393.0000000002F51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.264257364.00000000047F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.305144261.0000000005241000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.264036329.0000000004540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.776784898.0000000002E20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.287905795.0000000001500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.773982727.0000000000B01000.00000020.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.261326526.0000000001500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.254173027.0000000004610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.315379294.0000000002F51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.264146263.0000000004691000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.264222347.00000000047C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.774216836.0000000000B50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.777836240.0000000004D81000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.263454210.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.777801455.0000000004D50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.304925939.00000000051B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.779081718.0000000005531000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.264062913.0000000004571000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.773825240.0000000000AD0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.304079394.00000000030F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.287008332.0000000002F51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.315220757.0000000001500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.778524005.0000000005200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.778353822.0000000005120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.778061174.0000000004F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.778216857.0000000005031000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.265146904.0000000004C31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.265087151.0000000004AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.778826105.0000000005400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.779165292.0000000005560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.778104537.0000000004F41000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.254208432.0000000004741000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.264280922.0000000004820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.263561510.0000000000C21000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.779010821.0000000005500000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: xxWrY2YG7s.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
One or more processes crash
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6472 -ip 6472
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Bcdsqhgufomb\pnioy.zya:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Ynbglcmtebwefkh\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F6EFDD 0_2_02F6EFDD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F6BEFD 0_2_02F6BEFD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F6E4E5 0_2_02F6E4E5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F700EF 0_2_02F700EF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F5F0E9 0_2_02F5F0E9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F73EE9 0_2_02F73EE9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F6CAD5 0_2_02F6CAD5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F6D8DB 0_2_02F6D8DB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F6CCD9 0_2_02F6CCD9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F580C0 0_2_02F580C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F746BD 0_2_02F746BD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F60EBC 0_2_02F60EBC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F60ABA 0_2_02F60ABA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F5C6B8 0_2_02F5C6B8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F6A2A5 0_2_02F6A2A5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F51CA1 0_2_02F51CA1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F63EAA 0_2_02F63EAA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F5BAA9 0_2_02F5BAA9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F736AA 0_2_02F736AA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F5DE74 0_2_02F5DE74
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F6A474 0_2_02F6A474
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F5A871 0_2_02F5A871
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F6DC71 0_2_02F6DC71
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F57E79 0_2_02F57E79
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F57078 0_2_02F57078
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F6567B 0_2_02F6567B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F64A66 0_2_02F64A66
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F70A64 0_2_02F70A64
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F73263 0_2_02F73263
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F6B257 0_2_02F6B257
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F62E5D 0_2_02F62E5D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F5A445 0_2_02F5A445
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F64244 0_2_02F64244
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F5E640 0_2_02F5E640
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F6F840 0_2_02F6F840
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F57442 0_2_02F57442
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F58636 0_2_02F58636
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F53431 0_2_02F53431
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F5B820 0_2_02F5B820
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F68806 0_2_02F68806
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F69A01 0_2_02F69A01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F67A0F 0_2_02F67A0F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F72009 0_2_02F72009
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F607F4 0_2_02F607F4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F69DF5 0_2_02F69DF5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F685FF 0_2_02F685FF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F54BFC 0_2_02F54BFC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F555FF 0_2_02F555FF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F6E1F8 0_2_02F6E1F8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F627F9 0_2_02F627F9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F667E6 0_2_02F667E6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F6C5D5 0_2_02F6C5D5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F6FBDE 0_2_02F6FBDE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F5E7DE 0_2_02F5E7DE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F5C5D8 0_2_02F5C5D8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F6D1BC 0_2_02F6D1BC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F717BD 0_2_02F717BD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F5BFBE 0_2_02F5BFBE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F557B8 0_2_02F557B8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F577A3 0_2_02F577A3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F68FAE 0_2_02F68FAE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F707AA 0_2_02F707AA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F52194 0_2_02F52194
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F60F86 0_2_02F60F86
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F66187 0_2_02F66187
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F63D85 0_2_02F63D85
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F5238C 0_2_02F5238C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F5FB8E 0_2_02F5FB8E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F64F74 0_2_02F64F74
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F69774 0_2_02F69774
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F6437A 0_2_02F6437A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F6017B 0_2_02F6017B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F65779 0_2_02F65779
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F56B7A 0_2_02F56B7A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F5F369 0_2_02F5F369
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F6E955 0_2_02F6E955
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F72D53 0_2_02F72D53
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F67D5B 0_2_02F67D5B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F6FF58 0_2_02F6FF58
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F62142 0_2_02F62142
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F5D14C 0_2_02F5D14C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F6654A 0_2_02F6654A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F65333 0_2_02F65333
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F68D3D 0_2_02F68D3D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F51F38 0_2_02F51F38
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F65515 0_2_02F65515
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F5EF0C 0_2_02F5EF0C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F72B09 0_2_02F72B09
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F5670B 0_2_02F5670B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F6AD08 0_2_02F6AD08
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10020011 2_2_10020011
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100181CA 2_2_100181CA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001929D 2_2_1001929D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002542D 2_2_1002542D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100274AE 2_2_100274AE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10026575 2_2_10026575
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001869D 2_2_1001869D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10016860 2_2_10016860
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002596F 2_2_1002596F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10022A5C 2_2_10022A5C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10018A71 2_2_10018A71
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001AAB7 2_2_1001AAB7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001CB16 2_2_1001CB16
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10018E7D 2_2_10018E7D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10025EB1 2_2_10025EB1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E785FF 2_2_00E785FF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E7EFDD 2_2_00E7EFDD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E800EF 2_2_00E800EF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E6F0E9 2_2_00E6F0E9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E680C0 2_2_00E680C0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E7D8DB 2_2_00E7D8DB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E6A871 2_2_00E6A871
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E67078 2_2_00E67078
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E7F840 2_2_00E7F840
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E6B820 2_2_00E6B820
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E82009 2_2_00E82009
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E78806 2_2_00E78806
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E7E1F8 2_2_00E7E1F8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E7D1BC 2_2_00E7D1BC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E76187 2_2_00E76187
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E62194 2_2_00E62194
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E7017B 2_2_00E7017B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E72142 2_2_00E72142
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E6D14C 2_2_00E6D14C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E7E955 2_2_00E7E955
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E7CAD5 2_2_00E7CAD5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E7A2A5 2_2_00E7A2A5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E6BAA9 2_2_00E6BAA9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E70ABA 2_2_00E70ABA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E74A66 2_2_00E74A66
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E83263 2_2_00E83263
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E80A64 2_2_00E80A64
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E74244 2_2_00E74244
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E7B257 2_2_00E7B257
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E79A01 2_2_00E79A01
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E77A0F 2_2_00E77A0F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E64BFC 2_2_00E64BFC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E7FBDE 2_2_00E7FBDE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E6FB8E 2_2_00E6FB8E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E6238C 2_2_00E6238C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E6F369 2_2_00E6F369
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E66B7A 2_2_00E66B7A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E7437A 2_2_00E7437A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E75333 2_2_00E75333
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E82B09 2_2_00E82B09
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E7E4E5 2_2_00E7E4E5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E7CCD9 2_2_00E7CCD9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E61CA1 2_2_00E61CA1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E7A474 2_2_00E7A474
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E7DC71 2_2_00E7DC71
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E6A445 2_2_00E6A445
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E67442 2_2_00E67442
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E63431 2_2_00E63431
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E79DF5 2_2_00E79DF5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E655FF 2_2_00E655FF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E7C5D5 2_2_00E7C5D5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E6C5D8 2_2_00E6C5D8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E73D85 2_2_00E73D85
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E7654A 2_2_00E7654A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E82D53 2_2_00E82D53
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E77D5B 2_2_00E77D5B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E78D3D 2_2_00E78D3D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E7AD08 2_2_00E7AD08
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E75515 2_2_00E75515
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E83EE9 2_2_00E83EE9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E7BEFD 2_2_00E7BEFD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E836AA 2_2_00E836AA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E73EAA 2_2_00E73EAA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E846BD 2_2_00E846BD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E70EBC 2_2_00E70EBC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E6C6B8 2_2_00E6C6B8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E6DE74 2_2_00E6DE74
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E7567B 2_2_00E7567B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E67E79 2_2_00E67E79
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E6E640 2_2_00E6E640
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E72E5D 2_2_00E72E5D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E68636 2_2_00E68636
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E767E6 2_2_00E767E6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E707F4 2_2_00E707F4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E727F9 2_2_00E727F9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E6E7DE 2_2_00E6E7DE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E807AA 2_2_00E807AA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E677A3 2_2_00E677A3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E78FAE 2_2_00E78FAE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E817BD 2_2_00E817BD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E6BFBE 2_2_00E6BFBE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E657B8 2_2_00E657B8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E70F86 2_2_00E70F86
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E74F74 2_2_00E74F74
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E79774 2_2_00E79774
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E75779 2_2_00E75779
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E7FF58 2_2_00E7FF58
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E61F38 2_2_00E61F38
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E6EF0C 2_2_00E6EF0C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E6670B 2_2_00E6670B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10020011 3_2_10020011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100181CA 3_2_100181CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001929D 3_2_1001929D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002542D 3_2_1002542D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100274AE 3_2_100274AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10026575 3_2_10026575
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001869D 3_2_1001869D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001178A 3_2_1001178A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10016860 3_2_10016860
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002596F 3_2_1002596F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10022A5C 3_2_10022A5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10018A71 3_2_10018A71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001AAB7 3_2_1001AAB7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001CB16 3_2_1001CB16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10018E7D 3_2_10018E7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10025EB1 3_2_10025EB1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_047585FF 3_2_047585FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0475EFDD 3_2_0475EFDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0475A474 3_2_0475A474
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0475DC71 3_2_0475DC71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0474A445 3_2_0474A445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04747442 3_2_04747442
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04743431 3_2_04743431
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0475E4E5 3_2_0475E4E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0475CCD9 3_2_0475CCD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04741CA1 3_2_04741CA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04762D53 3_2_04762D53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04757D5B 3_2_04757D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0475654A 3_2_0475654A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04758D3D 3_2_04758D3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04755515 3_2_04755515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0475AD08 3_2_0475AD08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04759DF5 3_2_04759DF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_047455FF 3_2_047455FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0475C5D5 3_2_0475C5D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0474C5D8 3_2_0474C5D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04753D85 3_2_04753D85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0474DE74 3_2_0474DE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04747E79 3_2_04747E79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0475567B 3_2_0475567B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04752E5D 3_2_04752E5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0474E640 3_2_0474E640
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04748636 3_2_04748636
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0475BEFD 3_2_0475BEFD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04763EE9 3_2_04763EE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04750EBC 3_2_04750EBC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_047646BD 3_2_047646BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0474C6B8 3_2_0474C6B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_047636AA 3_2_047636AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04753EAA 3_2_04753EAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04754F74 3_2_04754F74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04759774 3_2_04759774
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04755779 3_2_04755779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0475FF58 3_2_0475FF58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04741F38 3_2_04741F38
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0474EF0C 3_2_0474EF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0474670B 3_2_0474670B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_047507F4 3_2_047507F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_047527F9 3_2_047527F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_047567E6 3_2_047567E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0474E7DE 3_2_0474E7DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0474BFBE 3_2_0474BFBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_047617BD 3_2_047617BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_047457B8 3_2_047457B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_047477A3 3_2_047477A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04758FAE 3_2_04758FAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_047607AA 3_2_047607AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04750F86 3_2_04750F86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0474A871 3_2_0474A871
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04747078 3_2_04747078
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0475F840 3_2_0475F840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0474B820 3_2_0474B820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04758806 3_2_04758806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04762009 3_2_04762009
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_047600EF 3_2_047600EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0474F0E9 3_2_0474F0E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0475D8DB 3_2_0475D8DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_047480C0 3_2_047480C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0475017B 3_2_0475017B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0475E955 3_2_0475E955
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04752142 3_2_04752142
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0474D14C 3_2_0474D14C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0475E1F8 3_2_0475E1F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0475D1BC 3_2_0475D1BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04742194 3_2_04742194
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04756187 3_2_04756187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04760A64 3_2_04760A64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04754A66 3_2_04754A66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04763263 3_2_04763263
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0475B257 3_2_0475B257
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04754244 3_2_04754244
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04759A01 3_2_04759A01
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04757A0F 3_2_04757A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0475CAD5 3_2_0475CAD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04750ABA 3_2_04750ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0475A2A5 3_2_0475A2A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0474BAA9 3_2_0474BAA9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04746B7A 3_2_04746B7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0475437A 3_2_0475437A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0474F369 3_2_0474F369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04755333 3_2_04755333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04762B09 3_2_04762B09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04744BFC 3_2_04744BFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0475FBDE 3_2_0475FBDE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0474238C 3_2_0474238C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0474FB8E 3_2_0474FB8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C2A445 7_2_00C2A445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C3B257 7_2_00C3B257
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C34A66 7_2_00C34A66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C2DE74 7_2_00C2DE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C37A0F 7_2_00C37A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C42009 7_2_00C42009
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C28636 7_2_00C28636
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C2C5D8 7_2_00C2C5D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C3EFDD 7_2_00C3EFDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C385FF 7_2_00C385FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C417BD 7_2_00C417BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C32142 7_2_00C32142
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C3654A 7_2_00C3654A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C3E955 7_2_00C3E955
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C3FF58 7_2_00C3FF58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C2670B 7_2_00C2670B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C3AD08 7_2_00C3AD08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C280C0 7_2_00C280C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C3CAD5 7_2_00C3CAD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C3D8DB 7_2_00C3D8DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C3CCD9 7_2_00C3CCD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C3E4E5 7_2_00C3E4E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C2F0E9 7_2_00C2F0E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C400EF 7_2_00C400EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C43EE9 7_2_00C43EE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C3BEFD 7_2_00C3BEFD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C21CA1 7_2_00C21CA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C3A2A5 7_2_00C3A2A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C33EAA 7_2_00C33EAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C2BAA9 7_2_00C2BAA9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C436AA 7_2_00C436AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C446BD 7_2_00C446BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C30ABA 7_2_00C30ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C2C6B8 7_2_00C2C6B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C30EBC 7_2_00C30EBC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C27442 7_2_00C27442
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C2E640 7_2_00C2E640
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C3F840 7_2_00C3F840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C34244 7_2_00C34244
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C32E5D 7_2_00C32E5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C40A64 7_2_00C40A64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C43263 7_2_00C43263
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C3DC71 7_2_00C3DC71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C2A871 7_2_00C2A871
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C3A474 7_2_00C3A474
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C3567B 7_2_00C3567B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C27078 7_2_00C27078
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C27E79 7_2_00C27E79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C39A01 7_2_00C39A01
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C38806 7_2_00C38806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C2B820 7_2_00C2B820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C23431 7_2_00C23431
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C3C5D5 7_2_00C3C5D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C2E7DE 7_2_00C2E7DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C3FBDE 7_2_00C3FBDE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C367E6 7_2_00C367E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C39DF5 7_2_00C39DF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C307F4 7_2_00C307F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C327F9 7_2_00C327F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C3E1F8 7_2_00C3E1F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C255FF 7_2_00C255FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C24BFC 7_2_00C24BFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C36187 7_2_00C36187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C30F86 7_2_00C30F86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C33D85 7_2_00C33D85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C2FB8E 7_2_00C2FB8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C2238C 7_2_00C2238C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C22194 7_2_00C22194
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C277A3 7_2_00C277A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C38FAE 7_2_00C38FAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C407AA 7_2_00C407AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C257B8 7_2_00C257B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C2BFBE 7_2_00C2BFBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C3D1BC 7_2_00C3D1BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C2D14C 7_2_00C2D14C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C42D53 7_2_00C42D53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C37D5B 7_2_00C37D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C2F369 7_2_00C2F369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C34F74 7_2_00C34F74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C39774 7_2_00C39774
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C26B7A 7_2_00C26B7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C3017B 7_2_00C3017B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C3437A 7_2_00C3437A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C35779 7_2_00C35779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C42B09 7_2_00C42B09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C2EF0C 7_2_00C2EF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C35515 7_2_00C35515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C35333 7_2_00C35333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C21F38 7_2_00C21F38
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C38D3D 7_2_00C38D3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C4EFDD 11_2_04C4EFDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C485FF 11_2_04C485FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C380C0 11_2_04C380C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C4CAD5 11_2_04C4CAD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C4CCD9 11_2_04C4CCD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C4D8DB 11_2_04C4D8DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C4E4E5 11_2_04C4E4E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C3F0E9 11_2_04C3F0E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C500EF 11_2_04C500EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C53EE9 11_2_04C53EE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C4BEFD 11_2_04C4BEFD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C4A2A5 11_2_04C4A2A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C31CA1 11_2_04C31CA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C3BAA9 11_2_04C3BAA9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C43EAA 11_2_04C43EAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C536AA 11_2_04C536AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C546BD 11_2_04C546BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C40EBC 11_2_04C40EBC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C3C6B8 11_2_04C3C6B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C40ABA 11_2_04C40ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C44244 11_2_04C44244
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C37442 11_2_04C37442
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C3E640 11_2_04C3E640
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C4F840 11_2_04C4F840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C3A445 11_2_04C3A445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C4B257 11_2_04C4B257
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C42E5D 11_2_04C42E5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C50A64 11_2_04C50A64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C44A66 11_2_04C44A66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C53263 11_2_04C53263
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C4A474 11_2_04C4A474
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C3A871 11_2_04C3A871
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C4DC71 11_2_04C4DC71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C3DE74 11_2_04C3DE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C37E79 11_2_04C37E79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C37078 11_2_04C37078
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C4567B 11_2_04C4567B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C48806 11_2_04C48806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C49A01 11_2_04C49A01
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C47A0F 11_2_04C47A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C52009 11_2_04C52009
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C3B820 11_2_04C3B820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C33431 11_2_04C33431
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C38636 11_2_04C38636
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C4C5D5 11_2_04C4C5D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C4FBDE 11_2_04C4FBDE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C3C5D8 11_2_04C3C5D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C3E7DE 11_2_04C3E7DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C467E6 11_2_04C467E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C407F4 11_2_04C407F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C49DF5 11_2_04C49DF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C4E1F8 11_2_04C4E1F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C355FF 11_2_04C355FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C427F9 11_2_04C427F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C34BFC 11_2_04C34BFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C43D85 11_2_04C43D85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C40F86 11_2_04C40F86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C46187 11_2_04C46187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C3FB8E 11_2_04C3FB8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C3238C 11_2_04C3238C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C32194 11_2_04C32194
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C377A3 11_2_04C377A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C48FAE 11_2_04C48FAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C507AA 11_2_04C507AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C4D1BC 11_2_04C4D1BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C517BD 11_2_04C517BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C357B8 11_2_04C357B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C3BFBE 11_2_04C3BFBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C42142 11_2_04C42142
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C4654A 11_2_04C4654A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C3D14C 11_2_04C3D14C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C4E955 11_2_04C4E955
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C52D53 11_2_04C52D53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C4FF58 11_2_04C4FF58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C47D5B 11_2_04C47D5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C3F369 11_2_04C3F369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C44F74 11_2_04C44F74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C49774 11_2_04C49774
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C36B7A 11_2_04C36B7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C45779 11_2_04C45779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C4437A 11_2_04C4437A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C4017B 11_2_04C4017B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C3670B 11_2_04C3670B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C52B09 11_2_04C52B09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C4AD08 11_2_04C4AD08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C3EF0C 11_2_04C3EF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C45515 11_2_04C45515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C45333 11_2_04C45333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C48D3D 11_2_04C48D3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C31F38 11_2_04C31F38
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10017BC1 appears 67 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 1001984C appears 48 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10017BC1 appears 68 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1001984C appears 48 times
Sample file is different than original file name gathered from version info
Source: xxWrY2YG7s.dll Binary or memory string: OriginalFilenameUDPTool.EXE: vs xxWrY2YG7s.dll
PE file contains strange resources
Source: xxWrY2YG7s.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: xxWrY2YG7s.dll Virustotal: Detection: 35%
Source: xxWrY2YG7s.dll ReversingLabs: Detection: 41%
Source: xxWrY2YG7s.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\xxWrY2YG7s.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\xxWrY2YG7s.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\xxWrY2YG7s.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xxWrY2YG7s.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\xxWrY2YG7s.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\xxWrY2YG7s.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\xxWrY2YG7s.dll",DllRegisterServer
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bcdsqhgufomb\pnioy.zya",aBwRbswnSV
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6472 -ip 6472
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Bcdsqhgufomb\pnioy.zya",DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6472 -s 524
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6472 -ip 6472
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6472 -s 512
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\xxWrY2YG7s.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\xxWrY2YG7s.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\xxWrY2YG7s.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xxWrY2YG7s.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\xxWrY2YG7s.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\xxWrY2YG7s.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bcdsqhgufomb\pnioy.zya",aBwRbswnSV Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6472 -ip 6472 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6472 -s 524 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6472 -ip 6472 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6472 -s 512 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Bcdsqhgufomb\pnioy.zya",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER29A4.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@41/23@0/29
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xxWrY2YG7s.dll",#1
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6472
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:4308:64:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4752:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:6864:64:WilError_01
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100126F9 FindResourceA,LoadResource,LockResource,FreeResource, 2_2_100126F9
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Binary string: iphlpapi.pdb7 source: WerFault.exe, 0000000E.00000003.272371296.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272414115.0000000005408000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000E.00000003.272371296.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272414115.0000000005408000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdbM source: WerFault.exe, 0000000E.00000003.272371296.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272414115.0000000005408000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 0000000E.00000003.272371296.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272414115.0000000005408000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000E.00000003.272356173.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.297171798.0000000004741000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000E.00000003.272356173.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.267840034.0000000004F77000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.292394761.0000000002B65000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.297171798.0000000004741000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.292304746.0000000004489000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.293332674.0000000002B65000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000E.00000003.272371296.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272414115.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297296027.00000000048A8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297200362.00000000048A8000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000E.00000003.272363326.0000000005402000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297171798.0000000004741000.00000004.00000001.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000E.00000003.272371296.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272414115.0000000005408000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000E.00000003.272356173.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.297171798.0000000004741000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000E.00000003.272356173.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.297171798.0000000004741000.00000004.00000001.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 0000000E.00000003.272371296.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272414115.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297296027.00000000048A8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297200362.00000000048A8000.00000004.00000040.sdmp
Source: Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000E.00000002.281739906.00000000030A2000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000E.00000003.272409759.0000000005405000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272363326.0000000005402000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297190009.00000000048A2000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000E.00000003.272356173.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.293551321.0000000002B5F000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.297171798.0000000004741000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.292377523.0000000002B5F000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000E.00000003.272409759.0000000005405000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272363326.0000000005402000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297190009.00000000048A2000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb/ source: WerFault.exe, 0000000E.00000003.272371296.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272414115.0000000005408000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000E.00000003.272371296.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272414115.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297296027.00000000048A8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297200362.00000000048A8000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000014.00000003.297190009.00000000048A2000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000E.00000003.272356173.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.297171798.0000000004741000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000E.00000003.272356173.0000000005291000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000E.00000003.272404509.0000000005400000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297190009.00000000048A2000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb_ source: WerFault.exe, 0000000E.00000003.272371296.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272414115.0000000005408000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000E.00000003.272404509.0000000005400000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000E.00000003.272356173.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.297171798.0000000004741000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000E.00000003.272404509.0000000005400000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297190009.00000000048A2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297271185.00000000048A5000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000E.00000003.272356173.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.292410735.0000000002B6B000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.297171798.0000000004741000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.293341268.0000000002B6B000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.293486034.0000000002B6B000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000E.00000003.272371296.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272414115.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297296027.00000000048A8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297200362.00000000048A8000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000E.00000003.272363326.0000000005402000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000E.00000003.272404509.0000000005400000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297249058.00000000048A0000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000E.00000003.272404509.0000000005400000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000014.00000003.292410735.0000000002B6B000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.293341268.0000000002B6B000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.293486034.0000000002B6B000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000E.00000003.272356173.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.297171798.0000000004741000.00000004.00000001.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000E.00000003.272371296.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272414115.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297249058.00000000048A0000.00000004.00000040.sdmp
Source: Binary string: combase.pdbk source: WerFault.exe, 0000000E.00000003.272371296.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272414115.0000000005408000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000014.00000003.292394761.0000000002B65000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.293332674.0000000002B65000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000E.00000003.272371296.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272414115.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297249058.00000000048A0000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000E.00000003.272356173.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.297171798.0000000004741000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000E.00000003.272356173.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.297171798.0000000004741000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb) source: WerFault.exe, 0000000E.00000003.272371296.0000000005408000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.272414115.0000000005408000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbk source: WerFault.exe, 00000014.00000003.297190009.00000000048A2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.297271185.00000000048A5000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000014.00000003.293551321.0000000002B5F000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.292377523.0000000002B5F000.00000004.00000001.sdmp
Source: xxWrY2YG7s.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: xxWrY2YG7s.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: xxWrY2YG7s.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: xxWrY2YG7s.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: xxWrY2YG7s.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F51195 push cs; iretd 0_2_02F51197
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10019891 push ecx; ret 2_2_100198A4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10017C60 push ecx; ret 2_2_10017C73
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E61195 push cs; iretd 2_2_00E61197
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10019891 push ecx; ret 3_2_100198A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10017C60 push ecx; ret 3_2_10017C73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04741195 push cs; iretd 3_2_04741197
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C21195 push cs; iretd 7_2_00C21197
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C31195 push cs; iretd 11_2_04C31197
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10023A79 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 2_2_10023A79
PE file contains an invalid checksum
Source: xxWrY2YG7s.dll Static PE information: real checksum: 0x66354 should be: 0x6c52b
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\xxWrY2YG7s.dll

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Bcdsqhgufomb\pnioy.zya Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Ynbglcmtebwefkh\kybokpdcd.avl:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Bcdsqhgufomb\pnioy.zya:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1000D804 IsIconic,GetWindowPlacement,GetWindowRect, 2_2_1000D804
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10008B90 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 2_2_10008B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000D804 IsIconic,GetWindowPlacement,GetWindowRect, 3_2_1000D804
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10008B90 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 3_2_10008B90
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\svchost.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6792 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6788 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6636 Thread sleep time: -120000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\regsvr32.exe API coverage: 4.9 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 4.9 %
Source: C:\Windows\System32\svchost.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: Amcache.hve.14.dr Binary or memory string: VMware
Source: Amcache.hve.14.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.14.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.14.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.14.dr Binary or memory string: VMware, Inc.
Source: svchost.exe, 00000028.00000002.586729756.000002014FE82000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW0
Source: Amcache.hve.14.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.14.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.14.dr Binary or memory string: VMware7,1
Source: Amcache.hve.14.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.14.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.14.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: svchost.exe, 00000009.00000002.603466856.0000019B31257000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.603484817.0000019B31264000.00000004.00000001.sdmp, rundll32.exe, 0000000D.00000002.776922125.0000000002E84000.00000004.00000020.sdmp, rundll32.exe, 0000000D.00000003.301202943.0000000002EAB000.00000004.00000001.sdmp, rundll32.exe, 0000000D.00000003.301116339.0000000002E84000.00000004.00000001.sdmp, rundll32.exe, 0000000D.00000002.777016597.0000000002EAC000.00000004.00000020.sdmp, WerFault.exe, 00000014.00000002.314476221.000000000445E000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.312086164.0000000004470000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.312035662.000000000445C000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.586755929.000002014FE8A000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.586862467.000002014FEEA000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000009.00000002.603029312.0000019B2BC29000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW@p&1
Source: Amcache.hve.14.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.14.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.14.dr Binary or memory string: VMware, Inc.me
Source: Amcache.hve.14.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.14.dr Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
Source: svchost.exe, 00000010.00000002.774690814.00000214CF267000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.773899188.000001BBF9E29000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.310546250.0000000004487000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.14.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_1001C49A
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10023A79 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 2_2_10023A79
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100178B6 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,__initptd,GetCurrentThreadId,__freeptd, 2_2_100178B6
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F5F7F7 mov eax, dword ptr fs:[00000030h] 0_2_02F5F7F7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E6F7F7 mov eax, dword ptr fs:[00000030h] 2_2_00E6F7F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0474F7F7 mov eax, dword ptr fs:[00000030h] 3_2_0474F7F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00C2F7F7 mov eax, dword ptr fs:[00000030h] 7_2_00C2F7F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_04C3F7F7 mov eax, dword ptr fs:[00000030h] 11_2_04C3F7F7
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F5C6B8 LdrInitializeThunk, 0_2_02F5C6B8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_1001C49A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10021743 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_10021743
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100167D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_100167D5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001FC21 SetUnhandledExceptionFilter,__encode_pointer, 2_2_1001FC21
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001FC43 __decode_pointer,SetUnhandledExceptionFilter, 2_2_1001FC43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_1001C49A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10021743 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_10021743
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100167D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_100167D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001FC21 SetUnhandledExceptionFilter,__encode_pointer, 3_2_1001FC21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001FC43 __decode_pointer,SetUnhandledExceptionFilter, 3_2_1001FC43

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 69.16.218.101 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.138.98.34 80 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xxWrY2YG7s.dll",#1 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6472 -ip 6472 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6472 -s 524 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6472 -ip 6472 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6472 -s 512 Jump to behavior
Source: loaddll32.exe, 00000000.00000000.263558904.0000000001AC0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.261539178.0000000001AC0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.288027395.0000000001AC0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.286794306.0000000001AC0000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.777358248.0000000003300000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.263558904.0000000001AC0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.261539178.0000000001AC0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.288027395.0000000001AC0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.286794306.0000000001AC0000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.777358248.0000000003300000.00000002.00020000.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.263558904.0000000001AC0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.261539178.0000000001AC0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.288027395.0000000001AC0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.286794306.0000000001AC0000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.777358248.0000000003300000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: loaddll32.exe, 00000000.00000000.263558904.0000000001AC0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.261539178.0000000001AC0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.288027395.0000000001AC0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.286794306.0000000001AC0000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.777358248.0000000003300000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: loaddll32.exe, 00000000.00000000.263558904.0000000001AC0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.261539178.0000000001AC0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.288027395.0000000001AC0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.286794306.0000000001AC0000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.777358248.0000000003300000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 2_2_10027704
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 2_2_1000A803
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA, 2_2_10023880
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 3_2_10027704
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 3_2_1000A803
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 3_2_10023880
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10022853 cpuid 2_2_10022853
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001F914 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 2_2_1001F914
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100178B6 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,__initptd,GetCurrentThreadId,__freeptd, 2_2_100178B6

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.14.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.14.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: svchost.exe, 00000017.00000002.774093971.000002338E841000.00000004.00000001.sdmp Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000017.00000002.774294710.000002338E902000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.774007972.000002338E829000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 13.2.rundll32.exe.5120000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4850000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4ee0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4f10000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.b50000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.5240000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.47f0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5230000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2e20000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5430000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1500000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2f50000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5200000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.30f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.c20000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4eb0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1500000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4610000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5030000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.1500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4540000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5530000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.30c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.48d0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4d50000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.2f50000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.51b0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.50e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.47c0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4ae0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.2f50000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4ab0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.51e0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5560000.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.4ad0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4610000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4820000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4570000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1500000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.af0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.50b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.47c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.30c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1500000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2e20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5560000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.4ad0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1500000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4d50000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5500000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.1500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.2f50000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.d60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4540000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4660000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.b00000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5000000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5120000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.c10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4f10000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.ad0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5400000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.50b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5150000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4ab0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5200000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.4c30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1500000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5590000.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.5210000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4660000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.51b0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.2f50000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4eb0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4820000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4690000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.5210000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4d80000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4740000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.b50000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.ad0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.e60000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5000000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.5500000.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4f40000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.304824769.00000000050E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.304733316.00000000050B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.305003073.00000000051E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.778909402.0000000005431000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.286552378.0000000001500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.263438129.0000000001500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.264383402.0000000004AE1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.288122197.0000000002F51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.253587065.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.778167159.0000000005000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.264309085.0000000004851000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.778579352.0000000005231000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.779222222.0000000005591000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.304040907.00000000030C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.778010320.0000000004EE1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.777944852.0000000004EB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.261789645.0000000002F51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.778445714.0000000005151000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.264108438.0000000004660000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.264358890.0000000004AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.253623838.0000000000E61000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.777650877.00000000048D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.305075397.0000000005210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.774608626.0000000000C11000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.263623393.0000000002F51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.264257364.00000000047F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.305144261.0000000005241000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.264036329.0000000004540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.776784898.0000000002E20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.287905795.0000000001500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.773982727.0000000000B01000.00000020.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.261326526.0000000001500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.254173027.0000000004610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.315379294.0000000002F51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.264146263.0000000004691000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.264222347.00000000047C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.774216836.0000000000B50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.777836240.0000000004D81000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.263454210.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.777801455.0000000004D50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.304925939.00000000051B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.779081718.0000000005531000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.264062913.0000000004571000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.773825240.0000000000AD0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.304079394.00000000030F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.287008332.0000000002F51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.315220757.0000000001500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.778524005.0000000005200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.778353822.0000000005120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.778061174.0000000004F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.778216857.0000000005031000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.265146904.0000000004C31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.265087151.0000000004AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.778826105.0000000005400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.779165292.0000000005560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.778104537.0000000004F41000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.254208432.0000000004741000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.264280922.0000000004820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.263561510.0000000000C21000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.779010821.0000000005500000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100011C0 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt, 2_2_100011C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100011C0 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt, 3_2_100011C0
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs