Loading ...

Play interactive tourEdit tour

Windows Analysis Report 9fC0as7YLE

Overview

General Information

Sample Name:9fC0as7YLE (renamed file extension from none to dll)
Analysis ID:524854
MD5:1436a43cdd37d5e362b0699552b446ed
SHA1:c3c2a766ecd7b01e4aec5810ed5dbeff6036c432
SHA256:f7c6e16173099ee6d999c37b5eeb327446cb836ff6c5455454cfb22775fb9624
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Changes security center settings (notifications, updates, antivirus, firewall)
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6484 cmdline: loaddll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 6504 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6532 cmdline: rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6920 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6520 cmdline: rundll32.exe C:\Users\user\Desktop\9fC0as7YLE.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6952 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Dkrmyysnwhbfjv\jwypbohhelrk.uxw",YPRnAEDz MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6032 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Dkrmyysnwhbfjv\jwypbohhelrk.uxw",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6584 cmdline: rundll32.exe C:\Users\user\Desktop\9fC0as7YLE.dll,abziuleoxsborpb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 1132 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6724 cmdline: rundll32.exe C:\Users\user\Desktop\9fC0as7YLE.dll,aejkroaebsbxdnkhb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6100 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4392 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 6656 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6776 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7000 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2908 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 5040 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6112 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 5476 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 5056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 2076 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5272 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6924 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4832 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4228 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.352594245.0000000000E0A000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000012.00000002.773392509.00000000009BA000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      0000000A.00000002.377195356.00000000033CA000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000002.00000002.310049703.00000000004A5000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000006.00000002.364267803.0000000000D9A000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.rundll32.exe.db4210.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              4.2.rundll32.exe.e243b8.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                3.2.rundll32.exe.5841b0.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  0.2.loaddll32.exe.115c740.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    18.2.rundll32.exe.9d4738.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 7 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Emotet RunDLL32 Process CreationShow sources
                      Source: Process startedAuthor: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",#1, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 6532, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\9fC0as7YLE.dll",Control_RunDLL, ProcessId: 6920

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 18.2.rundll32.exe.9d4738.1.raw.unpackMalware Configuration Extractor: Emotet {"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 9fC0as7YLE.dllVirustotal: Detection: 19%Perma Link
                      Source: 9fC0as7YLE.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.5:49767 version: TLS 1.2
                      Source: 9fC0as7YLE.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE0D1EE FindFirstFileExA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE0D1EE FindFirstFileExA,

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.5:49767 -> 51.178.61.60:443
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 51.178.61.60 187
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 51.178.61.60:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 45.79.33.48:8080
                      Source: Malware configuration extractorIPs: 196.44.98.190:8080
                      Source: Malware configuration extractorIPs: 177.72.80.14:7080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.169.10:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: EcobandGH EcobandGH
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: GET /PpGHOEhwQiOjTmUx HTTP/1.1Cookie: YLrNoFUoT=bKEzC4TtBgWiCpCm5V4NTfJlsG4xSuG6WBwZ0+s0+7maqRUE8+Vd405E9iLW76EKwoJu0oJG0v7OfqgmBnIwDVZMen2UWzwOktsPtg0rCDnmNkpEuCrwt8Qz2qrcsIX4r5n9v3PiTM0NQYDzsXvP4yDBcV8aiSCWx/8DuJLx8jSP8VTvHZOmbpvM2UD0mZw09mL35Wk+3mE6+Rj+HvFKD3DgAJ01grD+hBVrF/i3cg5gzPsKc4mPP0Z6+CkDl/1zRoKRPtwmJRocbJ/KkJ4J+/liajE=Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 196.44.98.190 196.44.98.190
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: svchost.exe, 00000024.00000003.666031431.000002626C7A0000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z||.||2bbf585d-742f-4e5f-bf99-34064e28fbbf||1152921505694183347||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 00000024.00000003.666031431.000002626C7A0000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z||.||2bbf585d-742f-4e5f-bf99-34064e28fbbf||1152921505694183347||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 00000024.00000003.666031431.000002626C7A0000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV"," equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000024.00000003.666031431.000002626C7A0000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV"," equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000005.00000002.623863529.0000028AF7287000.00000004.00000001.sdmp, svchost.exe, 00000024.00000002.682183919.000002626C700000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000005.00000002.623723166.0000028AF7200000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 00000024.00000003.658474810.000002626C79C000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658615820.000002626CC22000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658533477.000002626C7AD000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658442535.000002626C78B000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 0000000D.00000002.394905935.00000233D1013000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 00000007.00000002.773648072.00000263E7E3E000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 00000007.00000002.773648072.00000263E7E3E000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 00000007.00000002.773648072.00000263E7E3E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 0000000D.00000003.394380183.00000233D1061000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 00000007.00000002.773648072.00000263E7E3E000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000007.00000002.773648072.00000263E7E3E000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000D.00000003.394512227.00000233D105A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000D.00000003.394380183.00000233D1061000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000D.00000002.394999140.00000233D103D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000D.00000003.394380183.00000233D1061000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000D.00000003.394320457.00000233D1049000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000D.00000003.394380183.00000233D1061000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 0000000D.00000002.394999140.00000233D103D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000D.00000003.394380183.00000233D1061000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000D.00000003.394380183.00000233D1061000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000D.00000003.394380183.00000233D1061000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000D.00000003.394579382.00000233D1041000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000D.00000003.394579382.00000233D1041000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000D.00000003.394380183.00000233D1061000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000D.00000003.394512227.00000233D105A000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.394544611.00000233D1040000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 00000024.00000003.658474810.000002626C79C000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658615820.000002626CC22000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658533477.000002626C7AD000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658442535.000002626C78B000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 0000000D.00000003.394512227.00000233D105A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000D.00000003.394512227.00000233D105A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000D.00000003.394512227.00000233D105A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000D.00000002.395055779.00000233D1064000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000D.00000003.394380183.00000233D1061000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000D.00000002.394999140.00000233D103D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000D.00000003.363860154.00000233D1031000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000D.00000002.394999140.00000233D103D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000D.00000002.394999140.00000233D103D000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.394905935.00000233D1013000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000D.00000003.394544611.00000233D1040000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000D.00000003.394544611.00000233D1040000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000D.00000003.363860154.00000233D1031000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000D.00000003.363860154.00000233D1031000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000D.00000002.394905935.00000233D1013000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: svchost.exe, 00000024.00000003.658474810.000002626C79C000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658615820.000002626CC22000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658533477.000002626C7AD000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658442535.000002626C78B000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000024.00000003.658474810.000002626C79C000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658615820.000002626CC22000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658533477.000002626C7AD000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.658442535.000002626C78B000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000024.00000003.660846530.000002626C7BE000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.660897729.000002626C79C000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.660806852.000002626C79C000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: global trafficHTTP traffic detected: GET /PpGHOEhwQiOjTmUx HTTP/1.1Cookie: YLrNoFUoT=bKEzC4TtBgWiCpCm5V4NTfJlsG4xSuG6WBwZ0+s0+7maqRUE8+Vd405E9iLW76EKwoJu0oJG0v7OfqgmBnIwDVZMen2UWzwOktsPtg0rCDnmNkpEuCrwt8Qz2qrcsIX4r5n9v3PiTM0NQYDzsXvP4yDBcV8aiSCWx/8DuJLx8jSP8VTvHZOmbpvM2UD0mZw09mL35Wk+3mE6+Rj+HvFKD3DgAJ01grD+hBVrF/i3cg5gzPsKc4mPP0Z6+CkDl/1zRoKRPtwmJRocbJ/KkJ4J+/liajE=Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.5:49767 version: TLS 1.2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDE5EE0 GetClipboardViewer,GetClipboardViewer,GetSystemDefaultLangID,GetOpenClipboardWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetCurrentThread,GetForegroundWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,AnyPopup,GetUserDefaultUILanguage,GetUserDefaultUILanguage,GetCurrentThread,GetCurrentThread,GetErrorMode,GetErrorMode,GetThreadErrorMode,

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 6.2.rundll32.exe.db4210.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.e243b8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.5841b0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.115c740.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.9d4738.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.9d4738.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.db4210.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.e243b8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.115c740.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.5841b0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.33e4348.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.33e4348.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.352594245.0000000000E0A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.773392509.00000000009BA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.377195356.00000000033CA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.310049703.00000000004A5000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.364267803.0000000000D9A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.310032322.000000000056A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.365672207.000000000114A000.00000004.00000020.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: 9fC0as7YLE.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Dkrmyysnwhbfjv\jwypbohhelrk.uxw:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Dkrmyysnwhbfjv\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8CAA8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7441E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D843B3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D80ADE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D908D1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D87ED1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8CCD4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8BEC9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D730F6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8A8F0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8DEF4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8AEEB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8ECE3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7AC95
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8AC9B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D73C91
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8D091
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D84E8A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8748A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D77283
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7CC8D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D90687
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D890BA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D75AB2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D898BD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D844AA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7FEA0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7DAAE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D878A5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8D6A7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D79A57
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D72654
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D72A46
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D73845
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D72043
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8E441
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7A048
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D71C76
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8406E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7F41F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D81C10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7E21C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D74C00
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D71A0A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7220A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D78C09
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D91A3C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8F83F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7EC27
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7D223
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D79E22
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D85220
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7A3DF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D76FC4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D925C3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D903F1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7C5FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8BFE8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D755E8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8D99A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7FD91
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D91193
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8B397
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D79384
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D84D8D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7758F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D74F8E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7BFB6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D87BB2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8B1B5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D84BAA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D89DA1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D82FA2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D73F5C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7C158
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D73345
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8F14D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D91343
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8577E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8056A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D81F6B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D8FD10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D7251C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D73502
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D72309
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D90B34
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D9292B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D76B25
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D75923
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDE6620
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDE5730
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE0C6FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDE5EE0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDFA60F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE03780
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDEF700
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDF1CD0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDFDC5D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDF7C47
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDFA29D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDE2A80
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDFDA2D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDFA8B9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE13074
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDFA1F0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EE11929
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B390BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B408D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B2441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B2F41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B24C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B22043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B22A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B23845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B37BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3D99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B29384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B25AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B398BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B2FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B378A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B344AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B2DAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B23C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B2AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B27283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B40687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B34E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B2CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3A8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B230F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B37ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B30ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B41A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B29E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B2D223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B35220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B2EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B31C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B2E21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B21A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B2220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B28C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B21C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B29A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B22654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B2A048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B343B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B2BFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3B1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B32FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B39DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B34BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B2FD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3B397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B41193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B24F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B2758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B34D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B403F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B2C5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B255E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3BFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B2A3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B26FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B425C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B40B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B25923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B26B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B4292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3FD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B2251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B23502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B22309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B31F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B2C158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B23F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B23345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B41343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B3F14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDE6620
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDE5730
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE0C6FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDE5EE0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE03780
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDEF700
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDF1CD0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDFDC5D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDFA29D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDE2A80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EDFDA2D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE13074
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6EE11929
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007DCAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D43B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C1C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C2654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C9A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CA048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C3845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C2A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007DE441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C2043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007DF83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007E1A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CEC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D5220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C9E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CD223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CE21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CF41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D1C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C8C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C1A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C4C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007DDEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C30F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007DA8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007DAEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007DECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D0ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007DCCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D7ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007E08D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007DBEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D98BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D90BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C5AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CDAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D44AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D78A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007DD6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CFEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007DAC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CAC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007DD091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C3C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CCC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D4E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007E0687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C7283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D1F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007D056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C3F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CC158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007DF14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C3345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007E1343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007E0B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007E292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C6B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C5923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007DFD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C2309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C3502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CC5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007E03F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C55E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007DBFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007CA3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007C6FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007E25C3
                      Source: C:\Windo