Loading ...

Play interactive tourEdit tour

Windows Analysis Report RQ6mxb6ssDtBoLUIE.dll

Overview

General Information

Sample Name:RQ6mxb6ssDtBoLUIE.dll
Analysis ID:553238
MD5:2ca3b6aaf357e2a3c771e4e4204193a5
SHA1:e4cccff37f58d1c6ce65117732cc22875e435bf0
SHA256:221e0cc963f2a8d6614db7a7556b1879a35d2626e776091dd1b82903cbd766da
Tags:dll
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Machine Learning detection for sample
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 4356 cmdline: loaddll32.exe "C:\Users\user\Desktop\RQ6mxb6ssDtBoLUIE.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6880 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\RQ6mxb6ssDtBoLUIE.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 204 cmdline: rundll32.exe "C:\Users\user\Desktop\RQ6mxb6ssDtBoLUIE.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6388 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\RQ6mxb6ssDtBoLUIE.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 6916 cmdline: regsvr32.exe /s C:\Users\user\Desktop\RQ6mxb6ssDtBoLUIE.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • rundll32.exe (PID: 6252 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\RQ6mxb6ssDtBoLUIE.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 2268 cmdline: rundll32.exe C:\Users\user\Desktop\RQ6mxb6ssDtBoLUIE.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 7040 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Pecygnxduanun\bzajsqcyvrfnuga.wge",rVofdtApIoqtOl MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 5368 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Pecygnxduanun\bzajsqcyvrfnuga.wge",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 5392 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5496 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5360 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7044 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.299809540.0000000005000000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000002.00000002.291850550.00000000008A1000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000005.00000002.299210410.0000000004E40000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000005.00000002.297719098.0000000000E00000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000005.00000002.298746738.0000000004C00000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 21 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.rundll32.exe.5310000.3.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              5.2.rundll32.exe.4e40000.6.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                5.2.rundll32.exe.4d10000.5.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  4.2.rundll32.exe.4c50000.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    5.2.rundll32.exe.4c00000.2.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 34 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\RQ6mxb6ssDtBoLUIE.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\RQ6mxb6ssDtBoLUIE.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\RQ6mxb6ssDtBoLUIE.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6880, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\RQ6mxb6ssDtBoLUIE.dll",#1, ProcessId: 204

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 5.2.rundll32.exe.5000000.10.raw.unpackMalware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: RQ6mxb6ssDtBoLUIE.dllVirustotal: Detection: 38%Perma Link
                      Source: RQ6mxb6ssDtBoLUIE.dllReversingLabs: Detection: 44%
                      Machine Learning detection for sampleShow sources
                      Source: RQ6mxb6ssDtBoLUIE.dllJoe Sandbox ML: detected
                      Source: RQ6mxb6ssDtBoLUIE.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.3:49753 -> 45.138.98.34:80
                      Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.3:49754 -> 69.16.218.101:8080
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.16.218.101 144Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.138.98.34 80Jump to behavior
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 45.138.98.34:80
                      Source: Malware configuration extractorIPs: 69.16.218.101:8080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.168.220:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 104.131.62.48:8080
                      Source: Malware configuration extractorIPs: 62.171.178.147:8080
                      Source: Malware configuration extractorIPs: 217.182.143.207:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 210.57.209.142:8080
                      Source: Malware configuration extractorIPs: 159.69.237.188:443
                      Source: Malware configuration extractorIPs: 116.124.128.206:8080
                      Source: Malware configuration extractorIPs: 128.199.192.135:8080
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Malware configuration extractorIPs: 185.148.168.15:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 190.90.233.66:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 104.131.62.48 104.131.62.48
                      Source: global trafficTCP traffic: 192.168.2.3:49754 -> 69.16.218.101:8080
                      Source: unknownNetwork traffic detected: IP country count 12
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: svchost.exe, 00000011.00000003.407646546.000002A670DA2000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000011.00000003.407646546.000002A670DA2000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000011.00000002.424997634.000002A670D00000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000011.00000002.424857181.000002A6706F1000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: rundll32.exe, 0000000A.00000003.358571882.00000000052C0000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000003.360398348.00000000052BF000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000003.360648295.00000000052BF000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
                      Source: rundll32.exe, 0000000A.00000003.358571882.00000000052C0000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/:
                      Source: 77EC63BDA74BD0D0E0426DC8F80085060.10.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: svchost.exe, 00000011.00000003.404286448.000002A671221000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401511340.000002A671202000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401568699.000002A671203000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401665988.000002A670D80000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401938754.000002A670D91000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 00000011.00000003.404286448.000002A671221000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401511340.000002A671202000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401568699.000002A671203000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401665988.000002A670D80000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401938754.000002A670D91000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000011.00000003.404286448.000002A671221000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401511340.000002A671202000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401568699.000002A671203000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401665988.000002A670D80000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401938754.000002A670D91000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000011.00000003.404286448.000002A671221000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401511340.000002A671202000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401568699.000002A671203000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401665988.000002A670D80000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.401938754.000002A670D91000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000011.00000003.405183844.000002A670D90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.405198948.000002A671202000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.405168594.000002A670DA7000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.405143332.000002A670DA7000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100012D0 recvfrom,2_2_100012D0
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,2_2_1000FF59
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,4_2_1000FF59

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 7.2.rundll32.exe.5310000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4e40000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4d10000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4c50000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4c00000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4ed0000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4e70000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.35f0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.3430000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.3590000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5030000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5000000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4e40000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5440000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.e00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5340000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5440000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4ea0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4ce0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1110000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.e00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.3430000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5470000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5310000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.8a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.32d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4ce0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.3300000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4c30000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.780000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5000000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4c00000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.35f0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4ea0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.54a0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.780000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1110000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.32d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.299809540.0000000005000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.291850550.00000000008A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.299210410.0000000004E40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.297719098.0000000000E00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.298746738.0000000004C00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.298845218.0000000004CE0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.297189836.0000000005310000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.301069258.0000000003591000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.291729039.0000000000780000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.297374152.0000000005471000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.298795407.0000000004C31000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.298902972.0000000004D11000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.299405702.0000000004E71000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.294644360.0000000001110000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.299584840.0000000004EA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.297325366.0000000005440000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.296807303.0000000003301000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.296956252.00000000035F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.297422953.00000000054A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.296758413.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.297974222.0000000001211000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.297236568.0000000005341000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.299746454.0000000004ED1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.299970010.0000000005031000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.295542528.0000000004C51000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.300853002.0000000003430000.00000040.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: RQ6mxb6ssDtBoLUIE.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Pecygnxduanun\bzajsqcyvrfnuga.wge:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Pecygnxduanun\Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100200112_2_10020011
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100181CA2_2_100181CA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001929D2_2_1001929D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002542D2_2_1002542D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100274AE2_2_100274AE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100265752_2_10026575
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001869D2_2_1001869D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001178A2_2_1001178A
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100168602_2_10016860
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002596F2_2_1002596F
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10022A5C2_2_10022A5C
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10018A712_2_10018A71
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001AAB72_2_1001AAB7
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001CB162_2_1001CB16
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10018E7D2_2_10018E7D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10025EB12_2_10025EB1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_008B85FF2_2_008B85FF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_008BEFDD2_2_008BEFDD
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_008A80C02_2_008A80C0
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_008BD8DB2_2_008BD8DB
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_008AF0E92_2_008AF0E9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_008C00EF2_2_008C00EF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_008C20092_2_008C2009
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_008B88062_2_008B8806
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_008AB8202_2_008AB820
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_008BF8402_2_008BF840
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_008A70782_2_008A7078
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_008AA8712_2_008AA871
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_008B61872_2_008B6187
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_008A21942_2_008A2194
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_008BD1BC2_2_008BD1BC
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_008BE1F82_2_008BE1F8
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_008AD14C2_2_008AD14C
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_008B21422_2_008B2142
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_008BE9552_2_008BE955
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_008B017B2_2_008B017B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_008ABAA92_2_008ABAA9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_008BA2A52_2_008BA2A5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_008B0ABA2_2_008B0ABA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_008BCAD52_2_008BCAD5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_008B7A0F2_2_008B7A0F
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_008B9A012_2_008B9A01
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_008B42442_2_008B4244
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_008BB2572_2_008BB257
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100200114_2_10020011
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100181CA4_2_100181CA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001929D4_2_1001929D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002542D4_2_1002542D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100274AE4_2_100274AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100265754_2_10026575
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001869D4_2_1001869D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001178A4_2_1001178A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100168604_2_10016860
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002596F4_2_1002596F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10022A5C4_2_10022A5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10018A714_2_10018A71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001AAB74_2_1001AAB7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001CB164_2_1001CB16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10018E7D4_2_10018E7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10025EB14_2_10025EB1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C685FF4_2_04C685FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C6EFDD4_2_04C6EFDD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C6CCD94_2_04C6CCD9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C6E4E54_2_04C6E4E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C51CA14_2_04C51CA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C5A4454_2_04C5A445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C574424_2_04C57442
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C6A4744_2_04C6A474
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C6DC714_2_04C6DC71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C534314_2_04C53431
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C6C5D54_2_04C6C5D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C5C5D84_2_04C5C5D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C69DF54_2_04C69DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C555FF4_2_04C555FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C63D854_2_04C63D85
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C6654A4_2_04C6654A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C72D534_2_04C72D53
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C67D5B4_2_04C67D5B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C6AD084_2_04C6AD08
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C655154_2_04C65515
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C68D3D4_2_04C68D3D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C73EE94_2_04C73EE9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C6BEFD4_2_04C6BEFD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C63EAA4_2_04C63EAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C736AA4_2_04C736AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C60EBC4_2_04C60EBC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C746BD4_2_04C746BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C5C6B84_2_04C5C6B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C5E6404_2_04C5E640
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C62E5D4_2_04C62E5D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C5DE744_2_04C5DE74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C57E794_2_04C57E79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C6567B4_2_04C6567B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C586364_2_04C58636
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C5E7DE4_2_04C5E7DE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C667E64_2_04C667E6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C60F864_2_04C60F86
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C577A34_2_04C577A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C68FAE4_2_04C68FAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C707AA4_2_04C707AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C717BD4_2_04C717BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C5BFBE4_2_04C5BFBE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C557B84_2_04C557B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C6FF584_2_04C6FF58
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C64F744_2_04C64F74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C697744_2_04C69774
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C657794_2_04C65779
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C5EF0C4_2_04C5EF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C5670B4_2_04C5670B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C51F384_2_04C51F38
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C580C04_2_04C580C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C6D8DB4_2_04C6D8DB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C700EF4_2_04C700EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C5F0E94_2_04C5F0E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C6F8404_2_04C6F840
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C5A8714_2_04C5A871
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C570784_2_04C57078
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C688064_2_04C68806
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C720094_2_04C72009
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C5B8204_2_04C5B820
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C6E1F84_2_04C6E1F8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C661874_2_04C66187
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C521944_2_04C52194
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C6D1BC4_2_04C6D1BC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C621424_2_04C62142
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C5D14C4_2_04C5D14C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C6E9554_2_04C6E955
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C6017B4_2_04C6017B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C6CAD54_2_04C6CAD5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C6A2A54_2_04C6A2A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C5BAA94_2_04C5BAA9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C60ABA4_2_04C60ABA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C642444_2_04C64244
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C6B2574_2_04C6B257
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C64A664_2_04C64A66
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C70A644_2_04C70A64
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C732634_2_04C73263
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C69A014_2_04C69A01
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C67A0F4_2_04C67A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C6FBDE4_2_04C6FBDE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C54BFC4_2_04C54BFC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C5238C4_2_04C5238C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C5FB8E4_2_04C5FB8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C5F3694_2_04C5F369
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C56B7A4_2_04C56B7A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C72B094_2_04C72B09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04C653334_2_04C65333
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_01232B095_2_01232B09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0121670B5_2_0121670B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0122AD085_2_0122AD08
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_012221425_2_01222142
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0122654A5_2_0122654A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0122E9555_2_0122E955
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0122FF585_2_0122FF58
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_012317BD5_2_012317BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_012285FF5_2_012285FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0121C5D85_2_0121C5D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0122EFDD5_2_0122EFDD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_012186365_2_01218636
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_012320095_2_01232009
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_01227A0F5_2_01227A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_01224A665_2_01224A66
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0121DE745_2_0121DE74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0122B2575_2_0122B257
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_012253335_2_01225333
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_01211F385_2_01211F38
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_01228D3D5_2_01228D3D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0121EF0C5_2_0121EF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_012255155_2_01225515
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0121F3695_2_0121F369
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_01224F745_2_01224F74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_012297745_2_01229774
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0122437A5_2_0122437A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0122017B5_2_0122017B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_012257795_2_01225779
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_01216B7A5_2_01216B7A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0121D14C5_2_0121D14C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_01232D535_2_01232D53
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_01227D5B5_2_01227D5B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_012177A35_2_012177A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_012307AA5_2_012307AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_01228FAE5_2_01228FAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_012157B85_2_012157B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0122D1BC5_2_0122D1BC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0121BFBE5_2_0121BFBE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_01220F865_2_01220F86
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_012261875_2_01226187
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_01223D855_2_01223D85
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0121238C5_2_0121238C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0121FB8E5_2_0121FB8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_012121945_2_01212194
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_012267E65_2_012267E6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_012207F45_2_012207F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_01229DF55_2_01229DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0122E1F85_2_0122E1F8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_012227F95_2_012227F9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_01214BFC5_2_01214BFC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_012155FF5_2_012155FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0122C5D55_2_0122C5D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0122FBDE5_2_0122FBDE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0121E7DE5_2_0121E7DE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0121B8205_2_0121B820
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_012134315_2_01213431
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_01229A015_2_01229A01
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_012288065_2_01228806
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_012332635_2_01233263
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_01230A645_2_01230A64
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0121A8715_2_0121A871
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0122DC715_2_0122DC71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0122A4745_2_0122A474
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_01217E795_2_01217E79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_012170785_2_01217078
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0122567B5_2_0122567B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0121E6405_2_0121E640
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0122F8405_2_0122F840
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_012174425_2_01217442
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0121A4455_2_0121A445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_012242445_2_01224244
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_01222E5D5_2_01222E5D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_01211CA15_2_01211CA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0122A2A55_2_0122A2A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_01223EAA5_2_01223EAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0121BAA95_2_0121BAA9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_012336AA5_2_012336AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_01220ABA5_2_01220ABA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0121C6B85_2_0121C6B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_012346BD5_2_012346BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_01220EBC5_2_01220EBC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0122E4E55_2_0122E4E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0121F0E95_2_0121F0E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_01233EE95_2_01233EE9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_012300EF5_2_012300EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0122BEFD5_2_0122BEFD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_012180C05_2_012180C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0122CAD55_2_0122CAD5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0122D8DB5_2_0122D8DB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0122CCD95_2_0122CCD9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_035AEFDD8_2_035AEFDD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_035A85FF8_2_035A85FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_035A7D5B8_2_035A7D5B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_035AFF588_2_035AFF58
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_035B2D538_2_035B2D53
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_035AE9558_2_035AE955
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_035A654A8_2_035A654A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0359D14C8_2_0359D14C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_035A21428_2_035A2142
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_035A017B8_2_035A017B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_035A57798_2_035A5779
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_03596B7A8_2_03596B7A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_035A4F748_2_035A4F74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_035A97748_2_035A9774
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0359F3698_2_0359F369
                      So