Loading ...

Play interactive tourEdit tour

Windows Analysis Report CSxylfUJcL

Overview

General Information

Sample Name:CSxylfUJcL (renamed file extension from none to dll)
Analysis ID:553113
MD5:fa7ab814336d3ee4312c262457e01f01
SHA1:73e1844abe6d99a57345464f418279d596985202
SHA256:c89c49c3e8e37835ab53bfd9ff9ab97c80e037f0fdfe7e8df6a7d3d86fa62782
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Machine Learning detection for sample
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7112 cmdline: loaddll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 7132 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 7160 cmdline: rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6048 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 7148 cmdline: regsvr32.exe /s C:\Users\user\Desktop\CSxylfUJcL.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • rundll32.exe (PID: 5820 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6172 cmdline: rundll32.exe C:\Users\user\Desktop\CSxylfUJcL.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 5380 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ovttmq\chwg.qvw",xKUTPckNvcwxvZR MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 5132 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Ovttmq\chwg.qvw",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 5536 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5952 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3452 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6400 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6980 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.353899484.00000000047F1000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000004.00000002.354941726.0000000005411000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000005.00000002.354039628.0000000004851000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000005.00000002.353678279.00000000046C1000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000004.00000002.354572676.0000000005220000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 21 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.rundll32.exe.5280000.8.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              4.2.rundll32.exe.5110000.2.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                5.2.rundll32.exe.4690000.2.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  4.2.rundll32.exe.4b30000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    5.2.rundll32.exe.47c0000.4.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 34 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7132, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",#1, ProcessId: 7160

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 4.2.rundll32.exe.5280000.8.raw.unpackMalware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: CSxylfUJcL.dllVirustotal: Detection: 21%Perma Link
                      Source: CSxylfUJcL.dllReversingLabs: Detection: 32%
                      Machine Learning detection for sampleShow sources
                      Source: CSxylfUJcL.dllJoe Sandbox ML: detected
                      Source: CSxylfUJcL.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.6:49766 -> 45.138.98.34:80
                      Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.6:49770 -> 69.16.218.101:8080
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.16.218.101 144Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.138.98.34 80Jump to behavior
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 45.138.98.34:80
                      Source: Malware configuration extractorIPs: 69.16.218.101:8080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.168.220:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 104.131.62.48:8080
                      Source: Malware configuration extractorIPs: 62.171.178.147:8080
                      Source: Malware configuration extractorIPs: 217.182.143.207:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 210.57.209.142:8080
                      Source: Malware configuration extractorIPs: 159.69.237.188:443
                      Source: Malware configuration extractorIPs: 116.124.128.206:8080
                      Source: Malware configuration extractorIPs: 128.199.192.135:8080
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Malware configuration extractorIPs: 185.148.168.15:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 190.90.233.66:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 104.131.62.48 104.131.62.48
                      Source: global trafficTCP traffic: 192.168.2.6:49770 -> 69.16.218.101:8080
                      Source: unknownNetwork traffic detected: IP country count 12
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: svchost.exe, 00000015.00000003.484179843.000002DCEFD9B000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000015.00000003.484179843.000002DCEFD9B000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: rundll32.exe, 0000000C.00000003.461140176.0000000004DBF000.00000004.00000001.sdmpString found in binary or memory: http://crl.globals
                      Source: svchost.exe, 00000015.00000002.501039542.000002DCEF4EA000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.863214782.000001B96A085000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000015.00000002.501039542.000002DCEF4EA000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.863099825.000001B96A013000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: 77EC63BDA74BD0D0E0426DC8F80085060.12.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: rundll32.exe, 0000000C.00000003.460557624.0000000004DF7000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ac3be1d532533
                      Source: svchost.exe, 00000015.00000003.480197283.000002DCEFD92000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: rundll32.exe, 0000000C.00000003.461301561.0000000004DED000.00000004.00000001.sdmp, rundll32.exe, 0000000C.00000003.460548550.0000000004DED000.00000004.00000001.sdmp, rundll32.exe, 0000000C.00000003.461164296.0000000004DED000.00000004.00000001.sdmpString found in binary or memory: https://69dl.windowsupdate.com/
                      Source: svchost.exe, 00000015.00000003.480197283.000002DCEFD92000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000015.00000003.480197283.000002DCEFD92000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000015.00000003.480197283.000002DCEFD92000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000015.00000003.481145725.000002DCEFD82000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.481291827.000002DCF0202000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.481239356.000002DCEFDA4000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.481311470.000002DCEFD82000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.481252613.000002DCF0219000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100012D0 recvfrom,2_2_100012D0
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,2_2_1000FF59
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,3_2_1000FF59

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 4.2.rundll32.exe.5280000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.5110000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4690000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4b30000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.47c0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4820000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4060000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4820000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4060000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.3230000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.52b0000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.47f0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4690000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.5410000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4c00000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.2a80000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4190000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.47c0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4b30000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.5220000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4850000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.5250000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.5280000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.53e0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4a40000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.46c0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4c70000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.51f0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.51c0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.2a80000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.4b80000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.5110000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.2ad0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.5140000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.51c0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.53e0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.5220000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.3230000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4a40000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.353899484.00000000047F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.354941726.0000000005411000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.354039628.0000000004851000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.353678279.00000000046C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.354572676.0000000005220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.397064444.0000000002A80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.354868089.00000000053E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.354398198.00000000051C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.354782751.00000000052B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.353971003.0000000004820000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.354142339.0000000005110000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.353601392.0000000004690000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.397100803.0000000002AD1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.353774398.0000000004C71000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.351221459.0000000004C01000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.350955081.0000000004A40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.353804496.00000000047C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.354700642.0000000005280000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.354625308.0000000005251000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.354494384.00000000051F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.352946917.0000000004060000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.354257894.0000000005141000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.353590253.0000000004B30000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.396217963.0000000003230000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.353110002.0000000004191000.00000020.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: CSxylfUJcL.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Ovttmq\chwg.qvw:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Ovttmq\Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100200112_2_10020011
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100181CA2_2_100181CA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001929D2_2_1001929D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002542D2_2_1002542D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100274AE2_2_100274AE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100265752_2_10026575
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001869D2_2_1001869D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001178A2_2_1001178A
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100168602_2_10016860
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002596F2_2_1002596F
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10022A5C2_2_10022A5C
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10018A712_2_10018A71
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001AAB72_2_1001AAB7
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001CB162_2_1001CB16
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10018E7D2_2_10018E7D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10025EB12_2_10025EB1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B985FF2_2_04B985FF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B9EFDD2_2_04B9EFDD
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B81CA12_2_04B81CA1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B9E4E52_2_04B9E4E5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B9CCD92_2_04B9CCD9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B834312_2_04B83431
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B9DC712_2_04B9DC71
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B9A4742_2_04B9A474
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B874422_2_04B87442
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B8A4452_2_04B8A445
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B93D852_2_04B93D85
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B855FF2_2_04B855FF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B99DF52_2_04B99DF5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B8C5D82_2_04B8C5D8
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B9C5D52_2_04B9C5D5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B98D3D2_2_04B98D3D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B955152_2_04B95515
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B9AD082_2_04B9AD08
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B97D5B2_2_04B97D5B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04BA2D532_2_04BA2D53
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B9654A2_2_04B9654A
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B8C6B82_2_04B8C6B8
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B90EBC2_2_04B90EBC
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04BA46BD2_2_04BA46BD
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04BA36AA2_2_04BA36AA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B93EAA2_2_04B93EAA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B9BEFD2_2_04B9BEFD
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04BA3EE92_2_04BA3EE9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B886362_2_04B88636
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B87E792_2_04B87E79
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B9567B2_2_04B9567B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B8DE742_2_04B8DE74
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B92E5D2_2_04B92E5D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B8E6402_2_04B8E640
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B857B82_2_04B857B8
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B8BFBE2_2_04B8BFBE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04BA17BD2_2_04BA17BD
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04BA07AA2_2_04BA07AA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B98FAE2_2_04B98FAE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B877A32_2_04B877A3
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B90F862_2_04B90F86
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B927F92_2_04B927F9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B907F42_2_04B907F4
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B967E62_2_04B967E6
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B8E7DE2_2_04B8E7DE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B81F382_2_04B81F38
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B8670B2_2_04B8670B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B8EF0C2_2_04B8EF0C
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B957792_2_04B95779
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B94F742_2_04B94F74
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B997742_2_04B99774
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B9FF582_2_04B9FF58
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B8F0E92_2_04B8F0E9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04BA00EF2_2_04BA00EF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B9D8DB2_2_04B9D8DB
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B880C02_2_04B880C0
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B8B8202_2_04B8B820
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04BA20092_2_04BA2009
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B988062_2_04B98806
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B870782_2_04B87078
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B8A8712_2_04B8A871
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B9F8402_2_04B9F840
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B9D1BC2_2_04B9D1BC
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B821942_2_04B82194
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B961872_2_04B96187
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B9E1F82_2_04B9E1F8
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B9017B2_2_04B9017B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B9E9552_2_04B9E955
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B8D14C2_2_04B8D14C
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B921422_2_04B92142
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B90ABA2_2_04B90ABA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B8BAA92_2_04B8BAA9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B9A2A52_2_04B9A2A5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B9CAD52_2_04B9CAD5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B97A0F2_2_04B97A0F
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B99A012_2_04B99A01
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04BA32632_2_04BA3263
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04BA0A642_2_04BA0A64
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B94A662_2_04B94A66
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B9B2572_2_04B9B257
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B942442_2_04B94244
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B8238C2_2_04B8238C
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B8FB8E2_2_04B8FB8E
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B84BFC2_2_04B84BFC
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B9FBDE2_2_04B9FBDE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B953332_2_04B95333
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04BA2B092_2_04BA2B09
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B86B7A2_2_04B86B7A
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B9437A2_2_04B9437A
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B8F3692_2_04B8F369
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100200113_2_10020011
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100181CA3_2_100181CA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001929D3_2_1001929D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002542D3_2_1002542D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100274AE3_2_100274AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100265753_2_10026575
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001869D3_2_1001869D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001178A3_2_1001178A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100168603_2_10016860
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002596F3_2_1002596F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10022A5C3_2_10022A5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10018A713_2_10018A71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001AAB73_2_1001AAB7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001CB163_2_1001CB16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10018E7D3_2_10018E7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10025EB13_2_10025EB1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C185FF3_2_04C185FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C1EFDD3_2_04C1EFDD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C1CCD93_2_04C1CCD9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C1E4E53_2_04C1E4E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C01CA13_2_04C01CA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C074423_2_04C07442
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C0A4453_2_04C0A445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C1DC713_2_04C1DC71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C1A4743_2_04C1A474
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C034313_2_04C03431
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C1C5D53_2_04C1C5D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C0C5D83_2_04C0C5D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C19DF53_2_04C19DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C055FF3_2_04C055FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C13D853_2_04C13D85
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C1654A3_2_04C1654A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C22D533_2_04C22D53
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C17D5B3_2_04C17D5B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C1AD083_2_04C1AD08
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C155153_2_04C15515
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C18D3D3_2_04C18D3D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C23EE93_2_04C23EE9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C1BEFD3_2_04C1BEFD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C236AA3_2_04C236AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C13EAA3_2_04C13EAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C0C6B83_2_04C0C6B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C10EBC3_2_04C10EBC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C246BD3_2_04C246BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C0E6403_2_04C0E640
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C12E5D3_2_04C12E5D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C0DE743_2_04C0DE74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C07E793_2_04C07E79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C1567B3_2_04C1567B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C086363_2_04C08636
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C0E7DE3_2_04C0E7DE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C167E63_2_04C167E6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C107F43_2_04C107F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C127F93_2_04C127F9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C10F863_2_04C10F86
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C077A33_2_04C077A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C207AA3_2_04C207AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C18FAE3_2_04C18FAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C057B83_2_04C057B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C0BFBE3_2_04C0BFBE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C217BD3_2_04C217BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C1FF583_2_04C1FF58
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C14F743_2_04C14F74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C197743_2_04C19774
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C157793_2_04C15779
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C0670B3_2_04C0670B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C0EF0C3_2_04C0EF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C01F383_2_04C01F38
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C080C03_2_04C080C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C1D8DB3_2_04C1D8DB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C0F0E93_2_04C0F0E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C200EF3_2_04C200EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C1F8403_2_04C1F840
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C0A8713_2_04C0A871
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C070783_2_04C07078
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C188063_2_04C18806
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C220093_2_04C22009
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C0B8203_2_04C0B820
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C1E1F83_2_04C1E1F8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C161873_2_04C16187
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C021943_2_04C02194
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C1D1BC3_2_04C1D1BC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C121423_2_04C12142
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C0D14C3_2_04C0D14C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C1E9553_2_04C1E955
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C1017B3_2_04C1017B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C1CAD53_2_04C1CAD5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C1A2A53_2_04C1A2A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C0BAA93_2_04C0BAA9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C10ABA3_2_04C10ABA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C142443_2_04C14244
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C1B2573_2_04C1B257
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C232633_2_04C23263
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C20A643_2_04C20A64
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C14A663_2_04C14A66
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C19A013_2_04C19A01
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C17A0F3_2_04C17A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C1FBDE3_2_04C1FBDE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C04BFC3_2_04C04BFC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C0238C3_2_04C0238C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C0FB8E3_2_04C0FB8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C0F3693_2_04C0F369
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C06B7A3_2_04C06B7A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C1437A3_2_04C1437A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C22B093_2_04C22B09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C153333_2_04C15333
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C8B2574_2_04C8B257
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C84A664_2_04C84A66
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C7DE744_2_04C7DE74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C920094_2_04C92009
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C87A0F4_2_04C87A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C786364_2_04C78636
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C8EFDD4_2_04C8EFDD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C7C5D84_2_04C7C5D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C885FF4_2_04C885FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C917BD4_2_04C917BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C8654A4_2_04C8654A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C821424_2_04C82142
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C8FF584_2_04C8FF58
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C8E9554_2_04C8E955
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C8AD084_2_04C8AD08
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C7670B4_2_04C7670B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C780C04_2_04C780C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C8CCD94_2_04C8CCD9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C8D8DB4_2_04C8D8DB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C8CAD54_2_04C8CAD5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C93EE94_2_04C93EE9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C900EF4_2_04C900EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C8E4E54_2_04C8E4E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C7F0E94_2_04C7F0E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C8BEFD4_2_04C8BEFD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C83EAA4_2_04C83EAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C936AA4_2_04C936AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C71CA14_2_04C71CA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C8A2A54_2_04C8A2A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C7BAA94_2_04C7BAA9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C80ABA4_2_04C80