Loading ...

Play interactive tourEdit tour

Windows Analysis Report pugKLanrj3

Overview

General Information

Sample Name:pugKLanrj3 (renamed file extension from none to dll)
Analysis ID:553115
MD5:db9535477013554eb17c837e6bd92324
SHA1:ba4fa056de631759ffa5600dd1142a1280d2f051
SHA256:df234584db0c8aa194c6873b78c8ae0018f0c5f445c5c8a2e90c5e3131310ad0
Tags:32dllexetrojan
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Machine Learning detection for sample
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 4352 cmdline: loaddll32.exe "C:\Users\user\Desktop\pugKLanrj3.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 3560 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pugKLanrj3.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5572 cmdline: rundll32.exe "C:\Users\user\Desktop\pugKLanrj3.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 1312 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\pugKLanrj3.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 3156 cmdline: regsvr32.exe /s C:\Users\user\Desktop\pugKLanrj3.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • rundll32.exe (PID: 6408 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\pugKLanrj3.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5504 cmdline: rundll32.exe C:\Users\user\Desktop\pugKLanrj3.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6112 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ubjbeaftth\ufcmfnoys.ulp",EgkecrKVKe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 5388 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Ubjbeaftth\ufcmfnoys.ulp",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 6312 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5672 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5104 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6268 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.308556502.0000000004971000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000004.00000002.312426426.0000000004790000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000003.00000002.303864837.0000000002E50000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000007.00000002.308717246.0000000004ED1000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000009.00000002.312591906.0000000002E30000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 45 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.rundll32.exe.4fb0000.5.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              10.2.rundll32.exe.6c0000.2.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                4.2.rundll32.exe.4660000.5.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  10.2.rundll32.exe.4fa0000.21.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    10.2.rundll32.exe.4a90000.12.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 70 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\pugKLanrj3.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\pugKLanrj3.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pugKLanrj3.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3560, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\pugKLanrj3.dll",#1, ProcessId: 5572

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 10.2.rundll32.exe.4a90000.12.raw.unpackMalware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: pugKLanrj3.dllVirustotal: Detection: 26%Perma Link
                      Source: pugKLanrj3.dllReversingLabs: Detection: 32%
                      Machine Learning detection for sampleShow sources
                      Source: pugKLanrj3.dllJoe Sandbox ML: detected
                      Source: pugKLanrj3.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.3:49748 -> 45.138.98.34:80
                      Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.3:49749 -> 69.16.218.101:8080
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.16.218.101 144Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.138.98.34 80Jump to behavior
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 45.138.98.34:80
                      Source: Malware configuration extractorIPs: 69.16.218.101:8080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.168.220:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 104.131.62.48:8080
                      Source: Malware configuration extractorIPs: 62.171.178.147:8080
                      Source: Malware configuration extractorIPs: 217.182.143.207:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 210.57.209.142:8080
                      Source: Malware configuration extractorIPs: 159.69.237.188:443
                      Source: Malware configuration extractorIPs: 116.124.128.206:8080
                      Source: Malware configuration extractorIPs: 128.199.192.135:8080
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Malware configuration extractorIPs: 185.148.168.15:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 190.90.233.66:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 104.131.62.48 104.131.62.48
                      Source: global trafficTCP traffic: 192.168.2.3:49749 -> 69.16.218.101:8080
                      Source: unknownNetwork traffic detected: IP country count 12
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: svchost.exe, 00000011.00000003.419352679.0000024AA7D88000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000011.00000003.419352679.0000024AA7D88000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000011.00000003.419425357.0000024AA7D8E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.419352679.0000024AA7D88000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.419404673.0000024AA7D8E000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000011.00000003.419425357.0000024AA7D8E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.419352679.0000024AA7D88000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.419404673.0000024AA7D8E000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000011.00000002.435821452.0000024AA7D00000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000011.00000002.435659671.0000024AA74EF000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: 77EC63BDA74BD0D0E0426DC8F80085060.10.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: rundll32.exe, 0000000A.00000003.343075591.0000000004D31000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e16bf69187751
                      Source: svchost.exe, 00000011.00000003.408016367.0000024AA7D92000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.408127045.0000024AA7DB3000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.408267129.0000024AA8202000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 00000011.00000003.408016367.0000024AA7D92000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.408127045.0000024AA7DB3000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.408267129.0000024AA8202000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000011.00000003.408016367.0000024AA7D92000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.408127045.0000024AA7DB3000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.408267129.0000024AA8202000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000011.00000003.408016367.0000024AA7D92000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.408127045.0000024AA7DB3000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.408267129.0000024AA8202000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000011.00000003.411715639.0000024AA7DB3000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.411696063.0000024AA7D92000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.411749032.0000024AA8202000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.413775795.0000024AA7D8E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.411646731.0000024AA7DCA000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.411611343.0000024AA7DCA000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100012D0 recvfrom,2_2_100012D0
                      Source: loaddll32.exe, 00000000.00000002.307427556.0000000000A4B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,2_2_1000FF59
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,3_2_1000FF59

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 7.2.rundll32.exe.4fb0000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.6c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4660000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4fa0000.21.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4a90000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4950000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3090000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4a90000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.550000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.47a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2e50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4710000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4630000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2e50000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4fd0000.22.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.49b0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4ed0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.d20000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.2e30000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4d20000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4820000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4fe0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4540000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4ac0000.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4e70000.18.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.2e30000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.520000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4960000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4990000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.2e60000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.47f0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4710000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4570000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4c70000.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.5000000.23.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4b90000.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.720000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4980000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4ea0000.19.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4e70000.18.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.49e0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4ea0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.ed0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4790000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4790000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4540000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4950000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4ea0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5010000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.6c0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4fb0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.47a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.47c0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4f70000.20.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4f70000.20.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.47f0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4fd0000.22.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4740000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.690000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4bc0000.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4b90000.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4970000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4960000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.520000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4d20000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4820000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4ca0000.17.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.690000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.47f0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.d20000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4c70000.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.49b0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4630000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.47f0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.308556502.0000000004971000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.312426426.0000000004790000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.303864837.0000000002E50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.308717246.0000000004ED1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.312591906.0000000002E30000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.310675126.00000000006C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.308496197.00000000047A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.818600479.0000000004CA1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.816263427.0000000000551000.00000020.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.312707880.0000000004991000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.818149949.0000000004821000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.312062487.0000000004571000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.303938818.0000000003091000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.312157578.0000000004630000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.308585132.0000000004D20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.303434167.0000000000D20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.310610436.0000000000690000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.818434536.0000000004B90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.818253319.00000000049B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.308691982.0000000004EA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.312211500.0000000004661000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.818342645.0000000004A90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.816816895.00000000006C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.818930567.0000000004F70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.308783720.0000000004FE1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.312650834.0000000004960000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.818769110.0000000004E70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.818077767.0000000004741000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.818990382.0000000004FA1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.818118455.00000000047F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.311999484.0000000004540000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.312633523.0000000002E61000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.818553417.0000000004C70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.312609575.0000000004821000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.818862903.0000000004EA1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.818277549.00000000049E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.819036173.0000000004FD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.818224414.0000000004981000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.818194001.0000000004950000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.819084555.0000000005001000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.312500126.00000000047C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.303487631.0000000000ED1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.816889903.0000000000721000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.816215619.0000000000520000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.308811399.0000000005011000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.308759081.0000000004FB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.818044267.0000000004710000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.818377834.0000000004AC1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.818471974.0000000004BC1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.312556159.00000000047F0000.00000040.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: pugKLanrj3.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Ubjbeaftth\ufcmfnoys.ulp:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Ubjbeaftth\Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100200112_2_10020011
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100181CA2_2_100181CA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001929D2_2_1001929D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002542D2_2_1002542D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100274AE2_2_100274AE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100265752_2_10026575
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001869D2_2_1001869D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100168602_2_10016860
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002596F2_2_1002596F
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10022A5C2_2_10022A5C
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10018A712_2_10018A71
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001AAB72_2_1001AAB7
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001CB162_2_1001CB16
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10018E7D2_2_10018E7D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10025EB12_2_10025EB1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100200113_2_10020011
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002542D3_2_1002542D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100274AE3_2_100274AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100265753_2_10026575
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001178A3_2_1001178A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100168603_2_10016860
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002596F3_2_1002596F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10022A5C3_2_10022A5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001AAB73_2_1001AAB7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001CB163_2_1001CB16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10025EB13_2_10025EB1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030AEFDD3_2_030AEFDD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030A85FF3_2_030A85FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030B2B093_2_030B2B09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030A53333_2_030A5333
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0309F3693_2_0309F369
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03096B7A3_2_03096B7A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0309238C3_2_0309238C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0309FB8E3_2_0309FB8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03094BFC3_2_03094BFC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030A7A0F3_2_030A7A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030A9A013_2_030A9A01
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030A42443_2_030A4244
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030AB2573_2_030AB257
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030B32633_2_030B3263
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030A4A663_2_030A4A66
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030B0A643_2_030B0A64
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0309BAA93_2_0309BAA9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030AA2A53_2_030AA2A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030A0ABA3_2_030A0ABA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030ACAD53_2_030ACAD5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0309D14C3_2_0309D14C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030A21423_2_030A2142
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030AE9553_2_030AE955
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030A017B3_2_030A017B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030A61873_2_030A6187
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030921943_2_03092194
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030AD1BC3_2_030AD1BC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030AE1F83_2_030AE1F8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030B20093_2_030B2009
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030A88063_2_030A8806
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0309B8203_2_0309B820
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030AF8403_2_030AF840
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030970783_2_03097078
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0309A8713_2_0309A871
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030980C03_2_030980C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030AD8DB3_2_030AD8DB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0309F0E93_2_0309F0E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030B00EF3_2_030B00EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0309670B3_2_0309670B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0309EF0C3_2_0309EF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03091F383_2_03091F38
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030AFF583_2_030AFF58
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030A57793_2_030A5779
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030A4F743_2_030A4F74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030A97743_2_030A9774
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030A0F863_2_030A0F86
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030B07AA3_2_030B07AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030A8FAE3_2_030A8FAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030977A33_2_030977A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030957B83_2_030957B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030B17BD3_2_030B17BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0309BFBE3_2_0309BFBE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0309E7DE3_2_0309E7DE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030A67E63_2_030A67E6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030986363_2_03098636
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0309E6403_2_0309E640
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030A2E5D3_2_030A2E5D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03097E793_2_03097E79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030A567B3_2_030A567B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0309DE743_2_0309DE74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030A3EAA3_2_030A3EAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030B36AA3_2_030B36AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0309C6B83_2_0309C6B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030A0EBC3_2_030A0EBC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030B46BD3_2_030B46BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030B3EE93_2_030B3EE9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030ABEFD3_2_030ABEFD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030AAD083_2_030AAD08
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030A55153_2_030A5515
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030A8D3D3_2_030A8D3D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030A654A3_2_030A654A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030A7D5B3_2_030A7D5B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030B2D533_2_030B2D53
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030A3D853_2_030A3D85
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0309C5D83_2_0309C5D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030AC5D53_2_030AC5D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030955FF3_2_030955FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030A9DF53_2_030A9DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D4A664_2_006D4A66
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006CDE744_2_006CDE74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DB2574_2_006DB257
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006C86364_2_006C8636
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D7A0F4_2_006D7A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E20094_2_006E2009
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D654A4_2_006D654A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D21424_2_006D2142
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DFF584_2_006DFF58
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DE9554_2_006DE955
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DAD084_2_006DAD08
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006C670B4_2_006C670B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D85FF4_2_006D85FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DEFDD4_2_006DEFDD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006CC5D84_2_006CC5D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E17BD4_2_006E17BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E0A644_2_006E0A64
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E32634_2_006E3263
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006C70784_2_006C7078
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006C7E794_2_006C7E79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D567B4_2_006D567B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DA4744_2_006DA474
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DDC714_2_006DDC71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006CA8714_2_006CA871
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006CA4454_2_006CA445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D42444_2_006D4244
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006CE6404_2_006CE640
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DF8404_2_006DF840
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006C74424_2_006C7442
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D2E5D4_2_006D2E5D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006CB8204_2_006CB820
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006C34314_2_006C3431
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D88064_2_006D8806
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D9A014_2_006D9A01
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E00EF4_2_006E00EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006CF0E94_2_006CF0E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E3EE94_2_006E3EE9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DE4E54_2_006DE4E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DBEFD4_2_006DBEFD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006C80C04_2_006C80C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DCCD94_2_006DCCD9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DD8DB4_2_006DD8DB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DCAD54_2_006DCAD5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E36AA4_2_006E36AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006CBAA94_2_006CBAA9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D3EAA4_2_006D3EAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DA2A54_2_006DA2A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006C1CA14_2_006C1CA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D0EBC4_2_006D0EBC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E46BD4_2_006E46BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006CC6B84_2_006CC6B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D0ABA4_2_006D0ABA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006CF3694_2_006CF369
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D57794_2_006D5779
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006C6B7A4_2_006C6B7A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D017B4_2_006D017B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D437A4_2_006D437A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D4F744_2_006D4F74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D97744_2_006D9774
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006CD14C4_2_006CD14C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D7D5B4_2_006D7D5B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E2D534_2_006E2D53
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D8D3D4_2_006D8D3D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006C1F384_2_006C1F38
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D53334_2_006D5333
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006CEF0C4_2_006CEF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E2B094_2_006E2B09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D55154_2_006D5515
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D67E64_2_006D67E6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006C4BFC4_2_006C4BFC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006C55FF4_2_006C55FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D27F94_2_006D27F9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DE1F84_2_006DE1F8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D9DF54_2_006D9DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D07F44_2_006D07F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006CE7DE4_2_006CE7DE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DFBDE4_2_006DFBDE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DC5D54_2_006DC5D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D8FAE4_2_006D8FAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006E07AA4_2_006E07AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006C77A34_2_006C77A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006DD1BC4_2_006DD1BC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006CBFBE4_2_006CBFBE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006C57B84_2_006C57B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006C238C4_2_006C238C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006CFB8E4_2_006CFB8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D3D854_2_006D3D85
                      Source: C:\Windows\SysWOW64\rundll32.exe<