Loading ...

Play interactive tourEdit tour

Windows Analysis Report 9fC0as7YLE

Overview

General Information

Sample Name:9fC0as7YLE (renamed file extension from none to dll)
Analysis ID:524854
MD5:1436a43cdd37d5e362b0699552b446ed
SHA1:c3c2a766ecd7b01e4aec5810ed5dbeff6036c432
SHA256:f7c6e16173099ee6d999c37b5eeb327446cb836ff6c5455454cfb22775fb9624
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Changes security center settings (notifications, updates, antivirus, firewall)
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6484 cmdline: loaddll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 6504 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6532 cmdline: rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6920 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6520 cmdline: rundll32.exe C:\Users\user\Desktop\9fC0as7YLE.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6952 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Dkrmyysnwhbfjv\jwypbohhelrk.uxw",YPRnAEDz MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6032 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Dkrmyysnwhbfjv\jwypbohhelrk.uxw",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6584 cmdline: rundll32.exe C:\Users\user\Desktop\9fC0as7YLE.dll,abziuleoxsborpb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 1132 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6724 cmdline: rundll32.exe C:\Users\user\Desktop\9fC0as7YLE.dll,aejkroaebsbxdnkhb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6100 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4392 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 6656 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6776 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7000 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2908 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 5040 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6112 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 5476 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 5056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 2076 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5272 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6924 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4832 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4228 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.352594245.0000000000E0A000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000012.00000002.773392509.00000000009BA000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      0000000A.00000002.377195356.00000000033CA000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000002.00000002.310049703.00000000004A5000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000006.00000002.364267803.0000000000D9A000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.rundll32.exe.db4210.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              4.2.rundll32.exe.e243b8.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                3.2.rundll32.exe.5841b0.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  0.2.loaddll32.exe.115c740.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    18.2.rundll32.exe.9d4738.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 7 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Emotet RunDLL32 Process CreationShow sources
                      Source: Process startedAuthor: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",#1, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 6532, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",Control_RunDLL, ProcessId: 6920

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 18.2.rundll32.exe.9d4738.1.raw.unpackMalware Configuration Extractor: Emotet {"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 9fC0as7YLE.dllVirustotal: Detection: 19%Perma Link
                      Source: 9fC0as7YLE.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.5:49767 version: TLS 1.2
                      Source: 9fC0as7YLE.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE0D1EE FindFirstFileExA,0_2_6EE0D1EE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE0D1EE FindFirstFileExA,2_2_6EE0D1EE

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.5:49767 -> 51.178.61.60:443
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 51.178.61.60 187Jump to behavior
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 51.178.61.60:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 45.79.33.48:8080
                      Source: Malware configuration extractorIPs: 196.44.98.190:8080
                      Source: Malware configuration extractorIPs: 177.72.80.14:7080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.169.10:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: EcobandGH EcobandGH
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: GET /PpGHOEhwQiOjTmUx HTTP/1.1Cookie: YLrNoFUoT=bKEzC4TtBgWiCpCm5V4NTfJlsG4xSuG6WBwZ0+s0+7maqRUE8+Vd405E9iLW76EKwoJu0oJG0v7OfqgmBnIwDVZMen2UWzwOktsPtg0rCDnmNkpEuCrwt8Qz2qrcsIX4r5n9v3PiTM0NQYDzsXvP4yDBcV8aiSCWx/8DuJLx8jSP8VTvHZOmbpvM2UD0mZw09mL35Wk+3mE6+Rj+HvFKD3DgAJ01grD+hBVrF/i3cg5gzPsKc4mPP0Z6+CkDl/1zRoKRPtwmJRocbJ/KkJ4J+/liajE=Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 196.44.98.190 196.44.98.190
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: svchost.exe, 00000024.00000003.666031431.000002626C7A0000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z||.||2bbf585d-742f-4e5f-bf99-34064e28fbbf||1152921505694183347||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 00000024.00000003.666031431.000002626C7A0000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z||.||2bbf585d-742f-4e5f-bf99-34064e28fbbf||1152921505694183347||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 00000024.00000003.666031431.000002626C7A0000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV"," equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000024.00000003.666031431.000002626C7A0000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV"," equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000005.00000002.623863529.0000028AF7287000.00000004.00000001.sdmp, svchost.exe, 00000024.00000002.682183919.000002626C700000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000005.00000002.623723166.0000028AF7200000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 00000024.00000003.658474810.000002626C79C000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658615820.000002626CC22000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658533477.000002626C7AD000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658442535.000002626C78B000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 0000000D.00000002.394905935.00000233D1013000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 00000007.00000002.773648072.00000263E7E3E000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 00000007.00000002.773648072.00000263E7E3E000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 00000007.00000002.773648072.00000263E7E3E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 0000000D.00000003.394380183.00000233D1061000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 00000007.00000002.773648072.00000263E7E3E000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000007.00000002.773648072.00000263E7E3E000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000D.00000003.394512227.00000233D105A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000D.00000003.394380183.00000233D1061000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000D.00000002.394999140.00000233D103D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000D.00000003.394380183.00000233D1061000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000D.00000003.394320457.00000233D1049000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000D.00000003.394380183.00000233D1061000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 0000000D.00000002.394999140.00000233D103D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000D.00000003.394380183.00000233D1061000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000D.00000003.394380183.00000233D1061000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000D.00000003.394380183.00000233D1061000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000D.00000003.394579382.00000233D1041000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000D.00000003.394579382.00000233D1041000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000D.00000003.394380183.00000233D1061000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000D.00000003.394512227.00000233D105A000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.394544611.00000233D1040000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 00000024.00000003.658474810.000002626C79C000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658615820.000002626CC22000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658533477.000002626C7AD000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658442535.000002626C78B000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 0000000D.00000003.394512227.00000233D105A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000D.00000003.394512227.00000233D105A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000D.00000003.394512227.00000233D105A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000D.00000002.395055779.00000233D1064000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000D.00000003.394380183.00000233D1061000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000D.00000002.394999140.00000233D103D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000D.00000003.363860154.00000233D1031000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000D.00000002.394999140.00000233D103D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000D.00000002.394999140.00000233D103D000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.394905935.00000233D1013000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000D.00000003.394544611.00000233D1040000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000D.00000003.394544611.00000233D1040000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000D.00000003.363860154.00000233D1031000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000D.00000003.363860154.00000233D1031000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000D.00000002.394905935.00000233D1013000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: svchost.exe, 00000024.00000003.658474810.000002626C79C000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658615820.000002626CC22000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658533477.000002626C7AD000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658442535.000002626C78B000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000024.00000003.658474810.000002626C79C000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658615820.000002626CC22000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658533477.000002626C7AD000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658442535.000002626C78B000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000024.00000003.660846530.000002626C7BE000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.660897729.000002626C79C000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.660806852.000002626C79C000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: global trafficHTTP traffic detected: GET /PpGHOEhwQiOjTmUx HTTP/1.1Cookie: YLrNoFUoT=bKEzC4TtBgWiCpCm5V4NTfJlsG4xSuG6WBwZ0+s0+7maqRUE8+Vd405E9iLW76EKwoJu0oJG0v7OfqgmBnIwDVZMen2UWzwOktsPtg0rCDnmNkpEuCrwt8Qz2qrcsIX4r5n9v3PiTM0NQYDzsXvP4yDBcV8aiSCWx/8DuJLx8jSP8VTvHZOmbpvM2UD0mZw09mL35Wk+3mE6+Rj+HvFKD3DgAJ01grD+hBVrF/i3cg5gzPsKc4mPP0Z6+CkDl/1zRoKRPtwmJRocbJ/KkJ4J+/liajE=Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.5:49767 version: TLS 1.2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDE5EE0 GetClipboardViewer,GetClipboardViewer,GetSystemDefaultLangID,GetOpenClipboardWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetCurrentThread,GetForegroundWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,AnyPopup,GetUserDefaultUILanguage,GetUserDefaultUILanguage,GetCurrentThread,GetCurrentThread,GetErrorMode,GetErrorMode,GetThreadErrorMode,0_2_6EDE5EE0

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 6.2.rundll32.exe.db4210.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.e243b8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.5841b0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.115c740.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.9d4738.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.9d4738.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.db4210.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.e243b8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.115c740.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.5841b0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.33e4348.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.33e4348.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.352594245.0000000000E0A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.773392509.00000000009BA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.377195356.00000000033CA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.310049703.00000000004A5000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.364267803.0000000000D9A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.310032322.000000000056A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.365672207.000000000114A000.00000004.00000020.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: 9fC0as7YLE.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Dkrmyysnwhbfjv\jwypbohhelrk.uxw:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Dkrmyysnwhbfjv\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8CAA80_2_00D8CAA8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7441E0_2_00D7441E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D843B30_2_00D843B3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D80ADE0_2_00D80ADE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D908D10_2_00D908D1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D87ED10_2_00D87ED1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8CCD40_2_00D8CCD4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8BEC90_2_00D8BEC9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D730F60_2_00D730F6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8A8F00_2_00D8A8F0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8DEF40_2_00D8DEF4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8AEEB0_2_00D8AEEB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8ECE30_2_00D8ECE3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7AC950_2_00D7AC95
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8AC9B0_2_00D8AC9B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D73C910_2_00D73C91
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8D0910_2_00D8D091
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D84E8A0_2_00D84E8A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8748A0_2_00D8748A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D772830_2_00D77283
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7CC8D0_2_00D7CC8D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D906870_2_00D90687
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D890BA0_2_00D890BA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D75AB20_2_00D75AB2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D898BD0_2_00D898BD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D844AA0_2_00D844AA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7FEA00_2_00D7FEA0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7DAAE0_2_00D7DAAE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D878A50_2_00D878A5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8D6A70_2_00D8D6A7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D79A570_2_00D79A57
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D726540_2_00D72654
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D72A460_2_00D72A46
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D738450_2_00D73845
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D720430_2_00D72043
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8E4410_2_00D8E441
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7A0480_2_00D7A048
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D71C760_2_00D71C76
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8406E0_2_00D8406E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7F41F0_2_00D7F41F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D81C100_2_00D81C10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7E21C0_2_00D7E21C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D74C000_2_00D74C00
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D71A0A0_2_00D71A0A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7220A0_2_00D7220A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D78C090_2_00D78C09
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D91A3C0_2_00D91A3C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8F83F0_2_00D8F83F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7EC270_2_00D7EC27
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7D2230_2_00D7D223
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D79E220_2_00D79E22
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D852200_2_00D85220
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7A3DF0_2_00D7A3DF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D76FC40_2_00D76FC4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D925C30_2_00D925C3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D903F10_2_00D903F1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7C5FE0_2_00D7C5FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8BFE80_2_00D8BFE8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D755E80_2_00D755E8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8D99A0_2_00D8D99A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7FD910_2_00D7FD91
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D911930_2_00D91193
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8B3970_2_00D8B397
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D793840_2_00D79384
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D84D8D0_2_00D84D8D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7758F0_2_00D7758F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D74F8E0_2_00D74F8E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7BFB60_2_00D7BFB6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D87BB20_2_00D87BB2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8B1B50_2_00D8B1B5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D84BAA0_2_00D84BAA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D89DA10_2_00D89DA1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D82FA20_2_00D82FA2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D73F5C0_2_00D73F5C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7C1580_2_00D7C158
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D733450_2_00D73345
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8F14D0_2_00D8F14D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D913430_2_00D91343
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8577E0_2_00D8577E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8056A0_2_00D8056A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D81F6B0_2_00D81F6B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8FD100_2_00D8FD10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7251C0_2_00D7251C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D735020_2_00D73502
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D723090_2_00D72309
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D90B340_2_00D90B34
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D9292B0_2_00D9292B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D76B250_2_00D76B25
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D759230_2_00D75923
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDE66200_2_6EDE6620
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDE57300_2_6EDE5730
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE0C6FE0_2_6EE0C6FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDE5EE00_2_6EDE5EE0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDFA60F0_2_6EDFA60F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE037800_2_6EE03780
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDEF7000_2_6EDEF700
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDF1CD00_2_6EDF1CD0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDFDC5D0_2_6EDFDC5D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDF7C470_2_6EDF7C47
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDFA29D0_2_6EDFA29D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDE2A800_2_6EDE2A80
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDFDA2D0_2_6EDFDA2D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDFA8B90_2_6EDFA8B9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE130740_2_6EE13074
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDFA1F00_2_6EDFA1F0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE119290_2_6EE11929
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B390BA2_2_00B390BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3CAA82_2_00B3CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3DEF42_2_00B3DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3ECE32_2_00B3ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3AEEB2_2_00B3AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B408D12_2_00B408D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B2441E2_2_00B2441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B2F41F2_2_00B2F41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B24C002_2_00B24C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B220432_2_00B22043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B22A462_2_00B22A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B238452_2_00B23845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B37BB22_2_00B37BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3D99A2_2_00B3D99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B293842_2_00B29384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3056A2_2_00B3056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B25AB22_2_00B25AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B398BD2_2_00B398BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B2FEA02_2_00B2FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3D6A72_2_00B3D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B378A52_2_00B378A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B344AA2_2_00B344AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B2DAAE2_2_00B2DAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3D0912_2_00B3D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B23C912_2_00B23C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B2AC952_2_00B2AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3AC9B2_2_00B3AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B272832_2_00B27283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B406872_2_00B40687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B34E8A2_2_00B34E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3748A2_2_00B3748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B2CC8D2_2_00B2CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3A8F02_2_00B3A8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B230F62_2_00B230F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B37ED12_2_00B37ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3CCD42_2_00B3CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B30ADE2_2_00B30ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3BEC92_2_00B3BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B41A3C2_2_00B41A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3F83F2_2_00B3F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B29E222_2_00B29E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B2D2232_2_00B2D223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B352202_2_00B35220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B2EC272_2_00B2EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B31C102_2_00B31C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B2E21C2_2_00B2E21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B21A0A2_2_00B21A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B2220A2_2_00B2220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B28C092_2_00B28C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B21C762_2_00B21C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3406E2_2_00B3406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B29A572_2_00B29A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B226542_2_00B22654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3E4412_2_00B3E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B2A0482_2_00B2A048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B343B32_2_00B343B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B2BFB62_2_00B2BFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3B1B52_2_00B3B1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B32FA22_2_00B32FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B39DA12_2_00B39DA1
                      Source: <