Loading ...

Play interactive tourEdit tour

Windows Analysis Report EcJ8rbg.dll

Overview

General Information

Sample Name:EcJ8rbg.dll
Analysis ID:553239
MD5:8d7dd249f2a87f71b1588ce7d9855c80
SHA1:a0776075300b15a404955bf669674d88df3a84ae
SHA256:52faccb896886829a34782bd88a943f4e9a883ca5126aa147bbc177b9aaf8273
Tags:dll
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Machine Learning detection for sample
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 3436 cmdline: loaddll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 5792 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5104 cmdline: rundll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6728 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 5608 cmdline: regsvr32.exe /s C:\Users\user\Desktop\EcJ8rbg.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • rundll32.exe (PID: 6700 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6676 cmdline: rundll32.exe C:\Users\user\Desktop\EcJ8rbg.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 2912 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Twpdaikokj\mcaqvcjuoohw.tdj",GacrURwyZJOcX MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 1320 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Twpdaikokj\mcaqvcjuoohw.tdj",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 6268 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7136 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5328 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6636 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.651219135.0000000003250000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000005.00000002.658773887.00000000052D1000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000009.00000002.663246683.0000000002F90000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000007.00000002.658783740.0000000004A51000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000005.00000002.658642834.00000000050E0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 25 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.rundll32.exe.48d0000.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              5.2.rundll32.exe.4e50000.2.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                5.2.rundll32.exe.5140000.8.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  7.2.rundll32.exe.49c0000.6.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    5.2.rundll32.exe.2e20000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 40 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5792, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll",#1, ProcessId: 5104

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 7.2.rundll32.exe.4760000.3.unpackMalware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: EcJ8rbg.dllVirustotal: Detection: 40%Perma Link
                      Machine Learning detection for sampleShow sources
                      Source: EcJ8rbg.dllJoe Sandbox ML: detected
                      Source: EcJ8rbg.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.4:49781 -> 45.138.98.34:80
                      Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.4:49782 -> 69.16.218.101:8080
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.16.218.101 144Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.138.98.34 80Jump to behavior
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 45.138.98.34:80
                      Source: Malware configuration extractorIPs: 69.16.218.101:8080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.168.220:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 104.131.62.48:8080
                      Source: Malware configuration extractorIPs: 62.171.178.147:8080
                      Source: Malware configuration extractorIPs: 217.182.143.207:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 210.57.209.142:8080
                      Source: Malware configuration extractorIPs: 159.69.237.188:443
                      Source: Malware configuration extractorIPs: 116.124.128.206:8080
                      Source: Malware configuration extractorIPs: 128.199.192.135:8080
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Malware configuration extractorIPs: 185.148.168.15:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 190.90.233.66:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 104.131.62.48 104.131.62.48
                      Source: global trafficTCP traffic: 192.168.2.4:49782 -> 69.16.218.101:8080
                      Source: unknownNetwork traffic detected: IP country count 11
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: svchost.exe, 00000011.00000003.767138150.00000289AE99D000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000011.00000003.767138150.00000289AE99D000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000011.00000003.761015443.00000289AE90C000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.782664257.00000289AE900000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: 77EC63BDA74BD0D0E0426DC8F80085060.10.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: svchost.exe, 00000011.00000003.761511739.00000289AE991000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.761615718.00000289AE9B1000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.761553202.00000289AE97F000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 00000011.00000003.761511739.00000289AE991000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.761615718.00000289AE9B1000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.761553202.00000289AE97F000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000011.00000003.761511739.00000289AE991000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.761615718.00000289AE9B1000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.761553202.00000289AE97F000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000011.00000003.761511739.00000289AE991000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.761615718.00000289AE9B1000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.761553202.00000289AE97F000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000011.00000003.762429970.00000289AE978000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.762444639.00000289AE989000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.762645244.00000289AE99A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.762542665.00000289AE9D2000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.762524654.00000289AE9D2000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.762611865.00000289AE978000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.762579318.00000289AE9BB000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100012D0 recvfrom,2_2_100012D0
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,2_2_1000FF59
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,3_2_1000FF59

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 5.2.rundll32.exe.48d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4e50000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5140000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.49c0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.2e20000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.3250000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4240000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5140000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.49f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4a20000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5110000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.52a0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.49f0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4760000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2940000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5170000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4a50000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.50e0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4a20000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.3250000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.49c0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4b80000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.8b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.4b30000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.50e0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4b80000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.8b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4730000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.2f90000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4860000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4860000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4730000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4f80000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4f80000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4890000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.52a0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2940000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.8e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4bb0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.2f90000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4fb0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4e50000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4e80000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.52d0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.2e20000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.651219135.0000000003250000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.658773887.00000000052D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.663246683.0000000002F90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.658783740.0000000004A51000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.658642834.00000000050E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.658723299.0000000005171000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.657974448.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.655430157.0000000002940000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.658619486.0000000004860000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.658016233.00000000008E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.658517019.0000000004E81000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.658811817.0000000004B80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.658095730.0000000002E20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.658757089.0000000004A20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.655623941.0000000004241000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.658582876.0000000004FB1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.658656384.0000000004891000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.658747642.00000000052A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.658668655.0000000005111000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.658839063.0000000004BB1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.658706042.00000000049C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.658328602.00000000048D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.658574169.0000000004761000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.663415496.00000000049F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.658548495.0000000004730000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.658494027.0000000004E50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.658732893.00000000049F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.658556614.0000000004F80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.658697305.0000000005140000.00000040.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: EcJ8rbg.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Twpdaikokj\mcaqvcjuoohw.tdj:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Twpdaikokj\Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100200112_2_10020011
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100181CA2_2_100181CA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001929D2_2_1001929D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002542D2_2_1002542D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100274AE2_2_100274AE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100265752_2_10026575
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001869D2_2_1001869D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001178A2_2_1001178A
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100168602_2_10016860
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002596F2_2_1002596F
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10022A5C2_2_10022A5C
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10018A712_2_10018A71
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001AAB72_2_1001AAB7
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001CB162_2_1001CB16
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10018E7D2_2_10018E7D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10025EB12_2_10025EB1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B485FF2_2_04B485FF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B4EFDD2_2_04B4EFDD
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B31CA12_2_04B31CA1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B4E4E52_2_04B4E4E5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B4CCD92_2_04B4CCD9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B334312_2_04B33431
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B4A4742_2_04B4A474
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B4DC712_2_04B4DC71
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B374422_2_04B37442
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B3A4452_2_04B3A445
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B43D852_2_04B43D85
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B49DF52_2_04B49DF5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B355FF2_2_04B355FF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B4C5D52_2_04B4C5D5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B3C5D82_2_04B3C5D8
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B48D3D2_2_04B48D3D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B455152_2_04B45515
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B4AD082_2_04B4AD08
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B52D532_2_04B52D53
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B47D5B2_2_04B47D5B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B4654A2_2_04B4654A
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B40EBC2_2_04B40EBC
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B546BD2_2_04B546BD
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B3C6B82_2_04B3C6B8
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B43EAA2_2_04B43EAA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B536AA2_2_04B536AA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B4BEFD2_2_04B4BEFD
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B53EE92_2_04B53EE9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B386362_2_04B38636
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B3DE742_2_04B3DE74
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B37E792_2_04B37E79
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B4567B2_2_04B4567B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B42E5D2_2_04B42E5D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B3E6402_2_04B3E640
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B517BD2_2_04B517BD
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B357B82_2_04B357B8
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B3BFBE2_2_04B3BFBE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B377A32_2_04B377A3
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B48FAE2_2_04B48FAE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B507AA2_2_04B507AA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B40F862_2_04B40F86
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B407F42_2_04B407F4
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B427F92_2_04B427F9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B467E62_2_04B467E6
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B3E7DE2_2_04B3E7DE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B31F382_2_04B31F38
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B3670B2_2_04B3670B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B3EF0C2_2_04B3EF0C
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B44F742_2_04B44F74
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B497742_2_04B49774
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B457792_2_04B45779
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B4FF582_2_04B4FF58
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B3F0E92_2_04B3F0E9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B500EF2_2_04B500EF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B4D8DB2_2_04B4D8DB
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B380C02_2_04B380C0
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B3B8202_2_04B3B820
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B488062_2_04B48806
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B520092_2_04B52009
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B3A8712_2_04B3A871
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B370782_2_04B37078
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B4F8402_2_04B4F840
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B4D1BC2_2_04B4D1BC
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B321942_2_04B32194
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B461872_2_04B46187
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B4E1F82_2_04B4E1F8
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04B4017B2_2_04B4017B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100200113_2_10020011
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100181CA3_2_100181CA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001929D3_2_1001929D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002542D3_2_1002542D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100274AE3_2_100274AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100265753_2_10026575
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001869D3_2_1001869D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001178A3_2_1001178A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100168603_2_10016860
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002596F3_2_1002596F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10022A5C3_2_10022A5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10018A713_2_10018A71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001AAB73_2_1001AAB7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001CB163_2_1001CB16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10018E7D3_2_10018E7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10025EB13_2_10025EB1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_042585FF3_2_042585FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0425EFDD3_2_0425EFDD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_042434313_2_04243431
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0425A4743_2_0425A474
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0425DC713_2_0425DC71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0424A4453_2_0424A445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_042474423_2_04247442
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04241CA13_2_04241CA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0425E4E53_2_0425E4E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0425CCD93_2_0425CCD9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04258D3D3_2_04258D3D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0425AD083_2_0425AD08
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_042555153_2_04255515
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0425654A3_2_0425654A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04262D533_2_04262D53
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04257D5B3_2_04257D5B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04253D853_2_04253D85
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04259DF53_2_04259DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_042455FF3_2_042455FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0425C5D53_2_0425C5D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0424C5D83_2_0424C5D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_042486363_2_04248636
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0424DE743_2_0424DE74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04247E793_2_04247E79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0425567B3_2_0425567B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0424E6403_2_0424E640
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04252E5D3_2_04252E5D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_042636AA3_2_042636AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04253EAA3_2_04253EAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04250EBC3_2_04250EBC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_042646BD3_2_042646BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0424C6B83_2_0424C6B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04263EE93_2_04263EE9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0425BEFD3_2_0425BEFD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04241F383_2_04241F38
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0424EF0C3_2_0424EF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0424670B3_2_0424670B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04254F743_2_04254F74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_042597743_2_04259774
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_042557793_2_04255779
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0425FF583_2_0425FF58
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_042477A33_2_042477A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04258FAE3_2_04258FAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_042607AA3_2_042607AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0424BFBE3_2_0424BFBE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_042617BD3_2_042617BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_042457B83_2_042457B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04250F863_2_04250F86
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_042567E63_2_042567E6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_042507F43_2_042507F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_042527F93_2_042527F9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0424E7DE3_2_0424E7DE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0424B8203_2_0424B820
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_042588063_2_04258806
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_042620093_2_04262009
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0424A8713_2_0424A871
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_042470783_2_04247078
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0425F8403_2_0425F840
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_042600EF3_2_042600EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0424F0E93_2_0424F0E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_042480C03_2_042480C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0425D8DB3_2_0425D8DB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0425017B3_2_0425017B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_042521423_2_04252142
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0424D14C3_2_0424D14C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0425E9553_2_0425E955
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0425D1BC3_2_0425D1BC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_042561873_2_04256187
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_042421943_2_04242194
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0425E1F83_2_0425E1F8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04259A013_2_04259A01
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04257A0F3_2_04257A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04260A643_2_04260A64
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04254A663_2_04254A66
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_042632633_2_04263263
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_042542443_2_04254244
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0425B2573_2_0425B257
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0425A2A53_2_0425A2A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0424BAA93_2_0424BAA9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04250ABA3_2_04250ABA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0425CAD53_2_0425CAD5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_042553333_2_04255333
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04262B093_2_04262B09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0424F3693_2_0424F369
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04246B7A3_2_04246B7A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0425437A3_2_0425437A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0424238C3_2_0424238C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0424FB8E3_2_0424FB8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04244BFC3_2_04244BFC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0425FBDE3_2_0425FBDE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048E7A0F5_2_048E7A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048F20095_2_048F2009
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048D86365_2_048D8636
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048DA4455_2_048DA445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048EB2575_2_048EB257
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048E4A665_2_048E4A66
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048DDE745_2_048DDE74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048F17BD5_2_048F17BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048EEFDD5_2_048EEFDD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048DC5D85_2_048DC5D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048E85FF5_2_048E85FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048D670B5_2_048D670B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048EAD085_2_048EAD08
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048E654A5_2_048E654A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048E21425_2_048E2142
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048EFF585_2_048EFF58
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048EE9555_2_048EE955
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048E3EAA5_2_048E3EAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048DBAA95_2_048DBAA9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048F36AA5_2_048F36AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048EA2A55_2_048EA2A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048D1CA15_2_048D1CA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048F46BD5_2_048F46BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048E0EBC5_2_048E0EBC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048E0ABA5_2_048E0ABA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048DC6B85_2_048DC6B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048D80C05_2_048D80C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048ED8DB5_2_048ED8DB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048ECCD95_2_048ECCD9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048ECAD55_2_048ECAD5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048F00EF5_2_048F00EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048DF0E95_2_048DF0E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048F3EE95_2_048F3EE9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048EE4E55_2_048EE4E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048EBEFD5_2_048EBEFD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048E88065_2_048E8806
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048E9A015_2_048E9A01
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048DB8205_2_048DB820
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048D34315_2_048D3431
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048E42445_2_048E4244
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048DE6405_2_048DE640
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048EF8405_2_048EF840
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048D74425_2_048D7442
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048E2E5D5_2_048E2E5D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048F0A645_2_048F0A64
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048F32635_2_048F3263
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048D7E795_2_048D7E79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048D70785_2_048D7078
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048E567B5_2_048E567B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048EA4745_2_048EA474
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048DA8715_2_048DA871
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048EDC715_2_048EDC71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048D238C5_2_048D238C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048DFB8E5_2_048DFB8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048E0F865_2_048E0F86
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048E61875_2_048E6187
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048E3D855_2_048E3D85
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048D21945_2_048D2194
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048E8FAE5_2_048E8FAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048F07AA5_2_048F07AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048D77A35_2_048D77A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048ED1BC5_2_048ED1BC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048DBFBE5_2_048DBFBE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048D57B85_2_048D57B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048EFBDE5_2_048EFBDE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048DE7DE5_2_048DE7DE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048EC5D55_2_048EC5D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048E67E65_2_048E67E6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048D4BFC5_2_048D4BFC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048D55FF5_2_048D55FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048EE1F85_2_048EE1F8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048E27F95_2_048E27F9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048E07F45_2_048E07F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048E9DF55_2_048E9DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048DEF0C5_2_048DEF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048F2B095_2_048F2B09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048E55155_2_048E5515
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048E8D3D5_2_048E8D3D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048D1F385_2_048D1F38
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048E53335_2_048E5333
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048DD14C5_2_048DD14C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048E7D5B5_2_048E7D5B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048F2D535_2_048F2D53
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048DF3695_2_048DF369
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048E437A5_2_048E437A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048E017B5_2_048E017B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048E57795_2_048E5779
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048D6B7A5_2_048D6B7A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048E4F745_2_048E4F74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_048E97745_2_048E9774
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_008F7A0F7_2_008F7A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_009020097_2_00902009
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_008E86367_2_008E8636
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_008EA4457_2_008EA445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_008F4A667_2_008F4A66
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_008EDE747_2_008EDE74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_008FEFDD7_2_008FEFDD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_008EC5D87_2_008EC5D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_008E670B7_2_008E670B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_008FAD087_2_008FAD08
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_008F654A7_2_008F654A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_008F21427_2_008F2142
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_008FFF587_2_008FFF58
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_008F3EAA7_2_008F3EAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_008EBAA97_2_008EBAA9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_008FA2A57_2_008FA2A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_009046BD