Loading ...

Play interactive tourEdit tour

Windows Analysis Report yFAXc9z51V

Overview

General Information

Sample Name:yFAXc9z51V (renamed file extension from none to dll)
Analysis ID:524857
MD5:fee9ba8d79bcbc58800fda0cafbe5f64
SHA1:82eb29987e6ed568a5ae01816de7240df1490c0d
SHA256:3e8acc4d85b6ffc06b18b97a33a43628e8c11bc4dde8648bcc8a2ad9b1154150
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Changes security center settings (notifications, updates, antivirus, firewall)
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • svchost.exe (PID: 3604 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • loaddll32.exe (PID: 924 cmdline: loaddll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 6648 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5564 cmdline: rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6904 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 2336 cmdline: rundll32.exe C:\Users\user\Desktop\yFAXc9z51V.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6976 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wlimfwutowthen\gdntcqg.ebr",vQmrKt MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6768 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Wlimfwutowthen\gdntcqg.ebr",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 2528 cmdline: rundll32.exe C:\Users\user\Desktop\yFAXc9z51V.dll,abziuleoxsborpb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6200 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 160 cmdline: rundll32.exe C:\Users\user\Desktop\yFAXc9z51V.dll,aejkroaebsbxdnkhb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 7156 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7148 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 6656 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6108 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6236 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6896 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 4036 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6428 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 5496 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 3928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 4332 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1060 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5980 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4424 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.388952908.000000000295A000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    0000000C.00000002.414340731.00000000033AA000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000009.00000002.390623075.00000000028BA000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000005.00000002.363481536.0000000002AFA000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000001.00000002.390502900.000000000097D000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.rundll32.exe.2b14358.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              9.2.rundll32.exe.28d41f8.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                4.2.rundll32.exe.2ad5298.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  8.2.rundll32.exe.2974250.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    5.2.rundll32.exe.2b14358.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 5 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Emotet RunDLL32 Process CreationShow sources
                      Source: Process startedAuthor: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",#1, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 5564, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL, ProcessId: 6904

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 12.2.rundll32.exe.33c6390.1.raw.unpackMalware Configuration Extractor: Emotet {"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: yFAXc9z51V.dllVirustotal: Detection: 24%Perma Link
                      Source: yFAXc9z51V.dllReversingLabs: Detection: 22%
                      Source: yFAXc9z51V.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.3:49748 version: TLS 1.2
                      Source: yFAXc9z51V.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04051A80 FindFirstFileW,19_2_04051A80

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.3:49748 -> 51.178.61.60:443
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 51.178.61.60 187Jump to behavior
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 51.178.61.60:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 45.79.33.48:8080
                      Source: Malware configuration extractorIPs: 196.44.98.190:8080
                      Source: Malware configuration extractorIPs: 177.72.80.14:7080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.169.10:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: EcobandGH EcobandGH
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: GET /RUMPKfyWvwh HTTP/1.1Cookie: gVql=qP2SWVnr/WJG8YP5xSF8G7Rr6KkEKH5oVbT/aPyZcyn9K/saApq06qYJQ7VQDqAGQmsog3CqnGHN9x0QykU5uuVnobYs31akiF1WnncdqfGM3pGgWKZ2r4ogC9SE6Vh2+mnqzNK2/WuhSLvfpxzgrn3BeUCBI3LUqJXa1TfC4xBhYwdQa/6a5jixa5pMiqaToa/047TTwtpTt5xgOLwssCVW5YzKACeEqQfp8YgGPHadd14J0SJTGVNqyFCbrXXoDBPSb3GwjcRynh1BJ5z3u6jM5aWKTd6XgU1rwPi8sKMzrSyB1Zu0v5YluHWstRSulPtNogkEJBlOu+qxuLWX18w=Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 196.44.98.190 196.44.98.190
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: svchost.exe, 0000001F.00000002.574460997.000001D780700000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 0000001F.00000002.574914431.000001D7FFEEA000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 0000001F.00000003.554303940.000001D7807C0000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554360277.000001D78076E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554282780.000001D78077F000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 0000000A.00000002.387177184.00000227B4E13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 00000002.00000002.807728407.000001BFDBA45000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 00000002.00000002.807728407.000001BFDBA45000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 00000002.00000002.807728407.000001BFDBA45000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 0000000A.00000003.381787583.00000227B4E62000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 00000002.00000002.807596478.000001BFDBA2A000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000002.00000002.807596478.000001BFDBA2A000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000A.00000003.381792789.00000227B4E5D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000A.00000002.387337685.00000227B4E59000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000A.00000003.381787583.00000227B4E62000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000A.00000002.387371903.00000227B4E65000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000A.00000002.387337685.00000227B4E59000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000A.00000003.381787583.00000227B4E62000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000A.00000003.381842059.00000227B4E45000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000A.00000002.387337685.00000227B4E59000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000A.00000003.381824890.00000227B4E2C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000A.00000003.381787583.00000227B4E62000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000A.00000003.381787583.00000227B4E62000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000A.00000003.381787583.00000227B4E62000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000A.00000003.337166939.00000227B4E34000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000A.00000003.381792789.00000227B4E5D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000A.00000002.387218304.00000227B4E29000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000A.00000003.381787583.00000227B4E62000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000A.00000003.381810222.00000227B4E41000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 0000000A.00000003.337166939.00000227B4E34000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
                      Source: svchost.exe, 0000001F.00000003.554303940.000001D7807C0000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554360277.000001D78076E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554282780.000001D78077F000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 0000000A.00000003.381792789.00000227B4E5D000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000A.00000002.387337685.00000227B4E59000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000A.00000002.387337685.00000227B4E59000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000A.00000002.387371903.00000227B4E65000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.381806871.00000227B4E56000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000A.00000003.381787583.00000227B4E62000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000A.00000003.381824890.00000227B4E2C000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000A.00000003.337166939.00000227B4E34000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000A.00000002.387288308.00000227B4E40000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000A.00000003.381824890.00000227B4E2C000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.337166939.00000227B4E34000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.337166939.00000227B4E34000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.337166939.00000227B4E34000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.337166939.00000227B4E34000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000A.00000003.381842059.00000227B4E45000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: svchost.exe, 0000001F.00000003.554303940.000001D7807C0000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554360277.000001D78076E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554282780.000001D78077F000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 0000001F.00000003.554303940.000001D7807C0000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554360277.000001D78076E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554282780.000001D78077F000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 0000001F.00000003.555460068.000001D7807A8000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.555448598.000001D780787000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04061027 InternetReadFile,19_2_04061027
                      Source: global trafficHTTP traffic detected: GET /RUMPKfyWvwh HTTP/1.1Cookie: gVql=qP2SWVnr/WJG8YP5xSF8G7Rr6KkEKH5oVbT/aPyZcyn9K/saApq06qYJQ7VQDqAGQmsog3CqnGHN9x0QykU5uuVnobYs31akiF1WnncdqfGM3pGgWKZ2r4ogC9SE6Vh2+mnqzNK2/WuhSLvfpxzgrn3BeUCBI3LUqJXa1TfC4xBhYwdQa/6a5jixa5pMiqaToa/047TTwtpTt5xgOLwssCVW5YzKACeEqQfp8YgGPHadd14J0SJTGVNqyFCbrXXoDBPSb3GwjcRynh1BJ5z3u6jM5aWKTd6XgU1rwPi8sKMzrSyB1Zu0v5YluHWstRSulPtNogkEJBlOu+qxuLWX18w=Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.3:49748 version: TLS 1.2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6EA75EE0 GetClipboardViewer,GetClipboardViewer,GetSystemDefaultLangID,GetOpenClipboardWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetCurrentThread,GetForegroundWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,AnyPopup,GetUserDefaultUILanguage,GetUserDefaultUILanguage,GetCurrentThread,GetCurrentThread,GetErrorMode,GetErrorMode,GetThreadErrorMode,4_2_6EA75EE0

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 5.2.rundll32.exe.2b14358.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.28d41f8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2ad5298.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2974250.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.2b14358.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.28d41f8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.33c6390.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2974250.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2ad5298.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.33c6390.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.388952908.000000000295A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.414340731.00000000033AA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.390623075.00000000028BA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.363481536.0000000002AFA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.390502900.000000000097D000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.365418732.0000000002ABA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.808384988.00000000026E7000.00000004.00000020.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: yFAXc9z51V.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Wlimfwutowthen\gdntcqg.ebr:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Wlimfwutowthen\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C6CAA81_2_00C6CAA8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C5441E1_2_00C5441E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C643B31_2_00C643B3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C6BEC91_2_00C6BEC9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C6CCD41_2_00C6CCD4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C708D11_2_00C708D1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C67ED11_2_00C67ED1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C60ADE1_2_00C60ADE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C6ECE31_2_00C6ECE3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C6AEEB1_2_00C6AEEB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C6DEF41_2_00C6DEF4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C530F61_2_00C530F6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C706871_2_00C70687
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C572831_2_00C57283
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C5CC8D1_2_00C5CC8D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C64E8A1_2_00C64E8A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C6748A1_2_00C6748A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C5AC951_2_00C5AC95
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C53C911_2_00C53C91
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C6D0911_2_00C6D091
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C6AC9B1_2_00C6AC9B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C6D6A71_2_00C6D6A7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C678A51_2_00C678A5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C5FEA01_2_00C5FEA0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C644AA1_2_00C644AA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C55AB21_2_00C55AB2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C698BD1_2_00C698BD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C690BA1_2_00C690BA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C538451_2_00C53845
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C52A461_2_00C52A46
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C520431_2_00C52043
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C6E4411_2_00C6E441
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C5A0481_2_00C5A048
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C526541_2_00C52654
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C59A571_2_00C59A57
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C6406E1_2_00C6406E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C51C761_2_00C51C76
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C54C001_2_00C54C00
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C58C091_2_00C58C09
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C51A0A1_2_00C51A0A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C5220A1_2_00C5220A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C61C101_2_00C61C10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C5E21C1_2_00C5E21C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C5F41F1_2_00C5F41F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C5EC271_2_00C5EC27
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C652201_2_00C65220
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C5D2231_2_00C5D223
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C59E221_2_00C59E22
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C6F83F1_2_00C6F83F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C71A3C1_2_00C71A3C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C56FC41_2_00C56FC4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C725C31_2_00C725C3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C5A3DF1_2_00C5A3DF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C6BFE81_2_00C6BFE8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C703F11_2_00C703F1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C5C5FE1_2_00C5C5FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C593841_2_00C59384
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C5758F1_2_00C5758F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C64D8D1_2_00C64D8D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C54F8E1_2_00C54F8E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C6B3971_2_00C6B397
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C5FD911_2_00C5FD91
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C711931_2_00C71193
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C6D99A1_2_00C6D99A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C62FA21_2_00C62FA2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C69DA11_2_00C69DA1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C64BAA1_2_00C64BAA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C6B1B51_2_00C6B1B5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C5BFB61_2_00C5BFB6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C67BB21_2_00C67BB2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C533451_2_00C53345
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C713431_2_00C71343
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C6F14D1_2_00C6F14D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C53F5C1_2_00C53F5C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C5C1581_2_00C5C158
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C6056A1_2_00C6056A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C61F6B1_2_00C61F6B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C6577E1_2_00C6577E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C535021_2_00C53502
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C523091_2_00C52309
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C6FD101_2_00C6FD10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C5251C1_2_00C5251C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C56B251_2_00C56B25
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C559231_2_00C55923
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C7292B1_2_00C7292B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C70B341_2_00C70B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D608D14_2_02D608D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D5DEF44_2_02D5DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D5ECE34_2_02D5ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D5AEEB4_2_02D5AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D590BA4_2_02D590BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D5CAA84_2_02D5CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D438454_2_02D43845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D42A464_2_02D42A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D420434_2_02D42043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D4441E4_2_02D4441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D4F41F4_2_02D4F41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D44C004_2_02D44C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D5D99A4_2_02D5D99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D493844_2_02D49384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D57BB24_2_02D57BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D5056A4_2_02D5056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D5CCD44_2_02D5CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D57ED14_2_02D57ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D50ADE4_2_02D50ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D5BEC94_2_02D5BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D430F64_2_02D430F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D5A8F04_2_02D5A8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D4AC954_2_02D4AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D5D0914_2_02D5D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D43C914_2_02D43C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D5AC9B4_2_02D5AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D606874_2_02D60687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D472834_2_02D47283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D4CC8D4_2_02D4CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D54E8A4_2_02D54E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D5748A4_2_02D5748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D45AB24_2_02D45AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D598BD4_2_02D598BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D578A54_2_02D578A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D5D6A74_2_02D5D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D4FEA04_2_02D4FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D4DAAE4_2_02D4DAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D544AA4_2_02D544AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D426544_2_02D42654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D49A574_2_02D49A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D5E4414_2_02D5E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D4A0484_2_02D4A048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D41C764_2_02D41C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D5406E4_2_02D5406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D51C104_2_02D51C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D4E21C4_2_02D4E21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D48C094_2_02D48C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D41A0A4_2_02D41A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D4220A4_2_02D4220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D5F83F4_2_02D5F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D61A3C4_2_02D61A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D4EC274_2_02D4EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D552204_2_02D55220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D49E224_2_02D49E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D4D2234_2_02D4D223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D4A3DF4_2_02D4A3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D46FC44_2_02D46FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D625C34_2_02D625C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D603F14_2_02D603F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D4C5FE4_2_02D4C5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D455E84_2_02D455E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D5BFE84_2_02D5BFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D5B3974_2_02D5B397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D4FD914_2_02D4FD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D611934_2_02D61193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D54D8D4_2_02D54D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D44F8E4_2_02D44F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D4758F4_2_02D4758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D5B1B54_2_02D5B1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D4BFB64_2_02D4BFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D543B34_2_02D543B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D59DA14_2_02D59DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D52FA24_2_02D52FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D54BAA4_2_02D54BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D43F5C4_2_02D43F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D4C1584_2_02D4C158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D433454_2_02D43345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D613434_2_02D61343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D5F14D4_2_02D5F14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D5577E4_2_02D5577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D51F6B4_2_02D51F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D5FD104_2_02D5FD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D4251C4_2_02D4251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D435024_2_02D43502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D423094_2_02D42309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D60B344_2_02D60B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D46B254_2_02D46B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D459234_2_02D45923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02D6292B4_2_02D6292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6EA766204_2_6EA76620
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6EA757304_2_6EA75730
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6EA75EE04_2_6EA75EE0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6EA9C6FE4_2_6EA9C6FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6EA937804_2_6EA93780
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6EA7F7004_2_6EA7F700
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6EA81CD04_2_6EA81CD0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6EA8DC5D4_2_6EA8DC5D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6EA72A804_2_6EA72A80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6EA8A29D4_2_6EA8A29D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6EA8DA2D4_2_6EA8DA2D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6EAA30744_2_6EAA3074
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C4CAA85_2_02C4CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C3441E5_2_02C3441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C443B35_2_02C443B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C4BEC95_2_02C4BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C4CCD45_2_02C4CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C508D15_2_02C508D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C47ED15_2_02C47ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C40ADE5_2_02C40ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C4ECE35_2_02C4ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C4AEEB5_2_02C4AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C4DEF45_2_02C4DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C330F65_2_02C330F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C372835_2_02C37283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C506875_2_02C50687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C44E8A5_2_02C44E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C4748A5_2_02C4748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C3CC8D5_2_02C3CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C33C915_2_02C33C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C4D0915_2_02C4D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C3AC955_2_02C3AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C4AC9B5_2_02C4AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C478A55_2_02C478A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C3FEA05_2_02C3FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C4D6A75_2_02C4D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C444AA5_2_02C444AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C35AB25_2_02C35AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C498BD5_2_02C498BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C490BA5_2_02C490BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C320435_2_02C32043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C32A465_2_02C32A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C4E4415_2_02C4E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C338455_2_02C33845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C3A0485_2_02C3A048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C39A575_2_02C39A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C326545_2_02C32654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C4406E5_2_02C4406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C31C765_2_02C31C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C34C005_2_02C34C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C31A0A5_2_02C31A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C3220A5_2_02C3220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C38C095_2_02C38C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C41C105_2_02C41C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C3F41F5_2_02C3F41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C3E21C5_2_02C3E21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C3D2235_2_02C3D223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C39E225_2_02C39E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C452205_2_02C45220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C3EC275_2_02C3EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C51A3C5_2_02C51A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C4F83F5_2_02C4F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C525C35_2_02C525C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C36FC45_2_02C36FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C3A3DF5_2_02C3A3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C4BFE85_2_02C4BFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C503F15_2_02C503F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C3C5FE5_2_02C3C5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C393845_2_02C39384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C44D8D5_2_02C44D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C3758F5_2_02C3758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C34F8E5_2_02C34F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C3FD915_2_02C3FD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C4B3975_2_02C4B397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C511935_2_02C51193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C4D99A5_2_02C4D99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C49DA15_2_02C49DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C42FA25_2_02C42FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C44BAA5_2_02C44BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C4B1B55_2_02C4B1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C3BFB65_2_02C3BFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C47BB25_2_02C47BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C333455_2_02C33345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C513435_2_02C51343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C4F14D5_2_02C4F14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C3C1585_2_02C3C158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C33F5C5_2_02C33F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C4056A5_2_02C4056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C41F6B5_2_02C41F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C4577E5_2_02C4577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C335025_2_02C33502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C323095_2_02C32309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C4FD105_2_02C4FD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C3251C5_2_02C3251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C359235_2_02C35923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C36B255_2_02C36B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C5292B5_2_02C5292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02C50B345_2_02C50B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0422441E8_2_0422441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0423CAA88_2_0423CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_042343B38_2_042343B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04229E228_2_04229E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0422D2238_2_0422D223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_042352208_2_04235220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0422EC278_2_0422EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04241A3C8_2_04241A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0423F83F8_2_0423F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04224C008_2_04224C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04221A0A8_2_04221A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0422220A8_2_0422220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04228C098_2_04228C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04231C108_2_04231C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0422F41F8_2_0422F41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0422E21C8_2_0422E21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0423406E8_2_0423406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04221C768_2_04221C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_042220438_2_04222043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0423E4418_2_0423E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04222A468_2_04222A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_042238458_2_04223845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0422A0488_2_0422A048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04229A578_2_04229A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_042226548_2_04222654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0422FEA08_2_0422FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0423D6A78_2_0423D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_042378A58_2_042378A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_042344AA8_2_042344AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04225AB28_2_04225AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_042390BA8_2_042390BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_042398BD8_2_042398BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_042272838_2_04227283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_042406878_2_04240687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04234E8A8_2_04234E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0423748A8_2_0423748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0422CC8D8_2_0422CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0423D0918_2_0423D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04223C918_2_04223C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0422AC958_2_0422AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0423AC9B8_2_0423AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0423ECE38_2_0423ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0423AEEB8_2_0423AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_042230F68_2_042230F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0423DEF48_2_0423DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0423BEC98_2_0423BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04237ED18_2_04237ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_042408D18_2_042408D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0423CCD48_2_0423CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04230ADE8_2_04230ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_042259238_2_04225923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04226B258_2_04226B25