Loading ...

Play interactive tourEdit tour

Windows Analysis Report dUGnMYeP1C

Overview

General Information

Sample Name:dUGnMYeP1C (renamed file extension from none to dll)
Analysis ID:524858
MD5:9369750d8d21d8fcb1b35365f232625f
SHA1:30902a381e823450780e0efbbdc4d4130a032e20
SHA256:8d91807aa27ee93694388b7cbfa9d74a3d93407036650cdd29631360b675853f
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Multi AV Scanner detection for domain / URL
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6480 cmdline: loaddll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 6492 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6468 cmdline: rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 1688 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6508 cmdline: rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 1320 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Syakyqcviop\airusfmukngvit.rau",grPefdKmoEDD MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 4928 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Syakyqcviop\airusfmukngvit.rau",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6544 cmdline: rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,abziuleoxsborpb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 3040 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6564 cmdline: rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,aejkroaebsbxdnkhb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 4596 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 1848 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 7108 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4936 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6552 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7128 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.728810783.0000000003565000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000009.00000002.777849090.000000000324A000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000000.00000002.765628478.000000000166D000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000007.00000002.765555837.000000000089A000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000003.00000002.726530504.00000000009CA000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.rundll32.exe.7b43e8.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              3.2.rundll32.exe.9e4140.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                7.2.rundll32.exe.8b4350.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  9.2.rundll32.exe.3264268.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    7.2.rundll32.exe.8b4350.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 5 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Emotet RunDLL32 Process CreationShow sources
                      Source: Process startedAuthor: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",#1, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 6468, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL, ProcessId: 1688

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 6.2.rundll32.exe.7b43e8.0.raw.unpackMalware Configuration Extractor: Emotet {"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: dUGnMYeP1C.dllVirustotal: Detection: 19%Perma Link
                      Source: dUGnMYeP1C.dllReversingLabs: Detection: 22%
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: https://51.178.61.60/Virustotal: Detection: 9%Perma Link
                      Source: dUGnMYeP1C.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.4:49763 version: TLS 1.2
                      Source: dUGnMYeP1C.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4DD1EE FindFirstFileExA,0_2_6E4DD1EE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4DD1EE FindFirstFileExA,2_2_6E4DD1EE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031E1A80 FindFirstFileW,14_2_031E1A80

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.4:49763 -> 51.178.61.60:443
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 51.178.61.60 187Jump to behavior
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 51.178.61.60:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 45.79.33.48:8080
                      Source: Malware configuration extractorIPs: 196.44.98.190:8080
                      Source: Malware configuration extractorIPs: 177.72.80.14:7080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.169.10:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: EcobandGH EcobandGH
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: GET /InTtBbcviygntftqUxlvTZyNQIlFMYYuphsKApKnjhvMfoEmipIwgU HTTP/1.1Cookie: sbhozJBLsB=GBk0p7+mkeI5rWSXKi9+NkbuDAN7QDaXmyUi/sYe1oQpQspAP+UN+UaybMShDVRbP1B8IvhSKCUHJAYRRtEALN4oFplmYFQ82ingNRD/p7AiYoN6Z4om86TaWhNhyc2E6tH4MfN2LDyXUVu/1idF9te74dCx3ont9eszJJ5RNWPaX46p7K8F+cIzpv+J5OvQCSgHYYgi5GVms5sQuAEbCJ7NsR2cjbUSKQAbd9tLgWFOMQ==Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 196.44.98.190 196.44.98.190
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: svchost.exe, 00000019.00000003.962071156.000001FFDD78F000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000019.00000003.962071156.000001FFDD78F000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000019.00000003.962101432.000001FFDD7A0000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z||.||2bbf585d-742f-4e5f-bf99-34064e28fbbf||1152921505694183347||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 00000019.00000003.962101432.000001FFDD7A0000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z||.||2bbf585d-742f-4e5f-bf99-34064e28fbbf||1152921505694183347||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: rundll32.exe, 0000000E.00000003.836491061.0000000003666000.00000004.00000001.sdmp, svchost.exe, 00000019.00000002.978146496.000001FFDD700000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000019.00000002.978005532.000001FFDD0EF000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 00000019.00000003.958307796.000001FFDD7B0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958232168.000001FFDD76D000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958252571.000001FFDD78F000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: rundll32.exe, 0000000E.00000002.1180973185.000000000361A000.00000004.00000020.sdmpString found in binary or memory: https://51.178.61.60/
                      Source: rundll32.exe, 0000000E.00000002.1181015282.0000000003648000.00000004.00000001.sdmpString found in binary or memory: https://51.178.61.60/InTtBbcviygntftqUxlvTZyNQIlFMYYuphsKApKnjhvMfoEmipIwgU
                      Source: rundll32.exe, 0000000E.00000002.1180973185.000000000361A000.00000004.00000020.sdmpString found in binary or memory: https://51.178.61.60/InTtBbcviygntftqUxlvTZyNQIlFMYYuphsKApKnjhvMfoEmipIwgUC
                      Source: svchost.exe, 00000019.00000003.958307796.000001FFDD7B0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958232168.000001FFDD76D000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958252571.000001FFDD78F000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000019.00000003.958307796.000001FFDD7B0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958232168.000001FFDD76D000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958252571.000001FFDD78F000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000019.00000003.958307796.000001FFDD7B0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958232168.000001FFDD76D000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958252571.000001FFDD78F000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000019.00000003.959252620.000001FFDD78F000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/
                      Source: svchost.exe, 00000019.00000003.959264730.000001FFDD7A0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.959252620.000001FFDD78F000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031F1027 InternetReadFile,14_2_031F1027
                      Source: global trafficHTTP traffic detected: GET /InTtBbcviygntftqUxlvTZyNQIlFMYYuphsKApKnjhvMfoEmipIwgU HTTP/1.1Cookie: sbhozJBLsB=GBk0p7+mkeI5rWSXKi9+NkbuDAN7QDaXmyUi/sYe1oQpQspAP+UN+UaybMShDVRbP1B8IvhSKCUHJAYRRtEALN4oFplmYFQ82ingNRD/p7AiYoN6Z4om86TaWhNhyc2E6tH4MfN2LDyXUVu/1idF9te74dCx3ont9eszJJ5RNWPaX46p7K8F+cIzpv+J5OvQCSgHYYgi5GVms5sQuAEbCJ7NsR2cjbUSKQAbd9tLgWFOMQ==Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.4:49763 version: TLS 1.2
                      Source: loaddll32.exe, 00000000.00000002.765596973.000000000164B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B5EE0 GetClipboardViewer,GetClipboardViewer,GetSystemDefaultLangID,GetOpenClipboardWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetCurrentThread,GetForegroundWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,AnyPopup,GetUserDefaultUILanguage,GetUserDefaultUILanguage,GetCurrentThread,GetCurrentThread,GetErrorMode,GetErrorMode,GetThreadErrorMode,0_2_6E4B5EE0

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 6.2.rundll32.exe.7b43e8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.9e4140.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.8b4350.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.3264268.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.8b4350.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.7b43e8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.3264268.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.35e4730.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.9e4140.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.35e4730.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.728810783.0000000003565000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.777849090.000000000324A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.765628478.000000000166D000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.765555837.000000000089A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.726530504.00000000009CA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.753626316.000000000079A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.1180916673.00000000035CA000.00000004.00000020.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: dUGnMYeP1C.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Syakyqcviop\airusfmukngvit.rau:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Syakyqcviop\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F43B30_2_013F43B3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FCAA80_2_013FCAA8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014013430_2_01401343
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E6B250_2_013E6B25
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E59230_2_013E5923
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E251C0_2_013E251C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FFD100_2_013FFD10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E23090_2_013E2309
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E35020_2_013E3502
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F577E0_2_013F577E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F1F6B0_2_013F1F6B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F056A0_2_013F056A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E3F5C0_2_013E3F5C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013EC1580_2_013EC158
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0140292B0_2_0140292B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FF14D0_2_013FF14D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01400B340_2_01400B34
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E33450_2_013E3345
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014025C30_2_014025C3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013EBFB60_2_013EBFB6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FB1B50_2_013FB1B5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F7BB20_2_013F7BB2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F4BAA0_2_013F4BAA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F2FA20_2_013F2FA2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F9DA10_2_013F9DA1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FD99A0_2_013FD99A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FB3970_2_013FB397
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013EFD910_2_013EFD91
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E4F8E0_2_013E4F8E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E758F0_2_013E758F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014003F10_2_014003F1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F4D8D0_2_013F4D8D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E93840_2_013E9384
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013EC5FE0_2_013EC5FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014011930_2_01401193
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E55E80_2_013E55E8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FBFE80_2_013FBFE8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013EA3DF0_2_013EA3DF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E6FC40_2_013E6FC4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FF83F0_2_013FF83F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013EEC270_2_013EEC27
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E9E220_2_013E9E22
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013ED2230_2_013ED223
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F52200_2_013F5220
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E441E0_2_013E441E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013EF41F0_2_013EF41F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013EE21C0_2_013EE21C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F1C100_2_013F1C10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E1A0A0_2_013E1A0A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E220A0_2_013E220A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E8C090_2_013E8C09
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E4C000_2_013E4C00
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E1C760_2_013E1C76
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F406E0_2_013F406E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E9A570_2_013E9A57
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E26540_2_013E2654
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013EA0480_2_013EA048
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E2A460_2_013E2A46
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E38450_2_013E3845
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01401A3C0_2_01401A3C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E20430_2_013E2043
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FE4410_2_013FE441
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F98BD0_2_013F98BD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F90BA0_2_013F90BA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E5AB20_2_013E5AB2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013EDAAE0_2_013EDAAE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014008D10_2_014008D1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F44AA0_2_013F44AA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FD6A70_2_013FD6A7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F78A50_2_013F78A5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013EFEA00_2_013EFEA0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FAC9B0_2_013FAC9B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013EAC950_2_013EAC95
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FD0910_2_013FD091
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E3C910_2_013E3C91
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013ECC8D0_2_013ECC8D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F4E8A0_2_013F4E8A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F748A0_2_013F748A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E72830_2_013E7283
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014006870_2_01400687
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E30F60_2_013E30F6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FDEF40_2_013FDEF4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FA8F00_2_013FA8F0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FAEEB0_2_013FAEEB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FECE30_2_013FECE3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F0ADE0_2_013F0ADE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FCCD40_2_013FCCD4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F7ED10_2_013F7ED1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FBEC90_2_013FBEC9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B66200_2_6E4B6620
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B57300_2_6E4B5730
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B5EE00_2_6E4B5EE0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4DC6FE0_2_6E4DC6FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4BF7000_2_6E4BF700
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4D37800_2_6E4D3780
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4CDC5D0_2_6E4CDC5D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4C1CD00_2_6E4C1CD0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4CDA2D0_2_6E4CDA2D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B2A800_2_6E4B2A80
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4CA29D0_2_6E4CA29D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4E30740_2_6E4E3074
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4E19290_2_6E4E1929
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4B66202_2_6E4B6620
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4B57302_2_6E4B5730
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4B5EE02_2_6E4B5EE0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4DC6FE2_2_6E4DC6FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4BF7002_2_6E4BF700
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4D37802_2_6E4D3780
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4CDC5D2_2_6E4CDC5D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4C1CD02_2_6E4C1CD0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4CDA2D2_2_6E4CDA2D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4B2A802_2_6E4B2A80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4CA29D2_2_6E4CA29D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4E30742_2_6E4E3074
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4E19292_2_6E4E1929
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFCAA83_2_00EFCAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE441E3_2_00EE441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF43B33_2_00EF43B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFAEEB3_2_00EFAEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFECE33_2_00EFECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE30F63_2_00EE30F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFDEF43_2_00EFDEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFA8F03_2_00EFA8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00F008D13_2_00F008D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFBEC93_2_00EFBEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF0ADE3_2_00EF0ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFCCD43_2_00EFCCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF7ED13_2_00EF7ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EEDAAE3_2_00EEDAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF44AA3_2_00EF44AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFD6A73_2_00EFD6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF78A53_2_00EF78A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EEFEA03_2_00EEFEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF98BD3_2_00EF98BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF90BA3_2_00EF90BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE5AB23_2_00EE5AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EECC8D3_2_00EECC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF4E8A3_2_00EF4E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF748A3_2_00EF748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE72833_2_00EE7283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFAC9B3_2_00EFAC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00F006873_2_00F00687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EEAC953_2_00EEAC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFD0913_2_00EFD091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE3C913_2_00EE3C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF406E3_2_00EF406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE1C763_2_00EE1C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EEA0483_2_00EEA048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE2A463_2_00EE2A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE38453_2_00EE3845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE20433_2_00EE2043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFE4413_2_00EFE441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE9A573_2_00EE9A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE26543_2_00EE2654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EEEC273_2_00EEEC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE9E223_2_00EE9E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00F01A3C3_2_00F01A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EED2233_2_00EED223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF52203_2_00EF5220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFF83F3_2_00EFF83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE1A0A3_2_00EE1A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE220A3_2_00EE220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE8C093_2_00EE8C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE4C003_2_00EE4C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EEF41F3_2_00EEF41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EEE21C3_2_00EEE21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF1C103_2_00EF1C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00F003F13_2_00F003F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE55E83_2_00EE55E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFBFE83_2_00EFBFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EEC5FE3_2_00EEC5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE6FC43_2_00EE6FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EEA3DF3_2_00EEA3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00F025C33_2_00F025C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF4BAA3_2_00EF4BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF2FA23_2_00EF2FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF9DA13_2_00EF9DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EEBFB63_2_00EEBFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFB1B53_2_00EFB1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF7BB23_2_00EF7BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE4F8E3_2_00EE4F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE758F3_2_00EE758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF4D8D3_2_00EF4D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00F011933_2_00F01193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE93843_2_00EE9384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFD99A3_2_00EFD99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFB3973_2_00EFB397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EEFD913_2_00EEFD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF1F6B3_2_00EF1F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF056A3_2_00EF056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF577E3_2_00EF577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFF14D3_2_00EFF14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE33453_2_00EE3345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE3F5C3_2_00EE3F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00F013433_2_00F01343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EEC1583_2_00EEC158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00F00B343_2_00F00B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE6B253_2_00EE6B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE59233_2_00EE5923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00F0292B3_2_00F0292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE23093_2_00EE2309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE35023_2_00EE3502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE251C3_2_00EE251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFFD103_2_00EFFD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092CAA86_2_0092CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091441E6_2_0091441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009243B36_2_009243B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00913C916_2_00913C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092D0916_2_0092D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091AC956_2_0091AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092AC9B6_2_0092AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009172836_2_00917283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009306876_2_00930687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00924E8A6_2_00924E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092748A6_2_0092748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091CC8D6_2_0091CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00915AB26_2_00915AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009290BA6_2_009290BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009298BD6_2_009298BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091FEA06_2_0091FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092D6A76_2_0092D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009278A56_2_009278A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009244AA6_2_009244AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091DAAE6_2_0091DAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009308D16_2_009308D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00927ED16_2_00927ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092CCD46_2_0092CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00920ADE6_2_00920ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092BEC96_2_0092BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092A8F06_2_0092A8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092DEF46_2_0092DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009130F66_2_009130F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092ECE36_2_0092ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092AEEB6_2_0092AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00921C106_2_00921C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091E21C6_2_0091E21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091F41F6_2_0091F41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00914C006_2_00914C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00918C096_2_00918C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00911A0A6_2_00911A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091220A6_2_0091220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092F83F6_2_0092F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00931A3C6_2_00931A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009252206_2_00925220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091D2236_2_0091D223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00919E226_2_00919E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091EC276_2_0091EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009126546_2_00912654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00919A576_2_00919A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009120436_2_00912043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092E4416_2_0092E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009138456_2_00913845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00912A466_2_00912A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091A0486_2_0091A048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00911C766_2_00911C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092406E6_2_0092406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091FD916_2_0091FD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009311936_2_00931193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092B3976_2_0092B397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092D99A6_2_0092D99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009193846_2_00919384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091758F6_2_0091758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00924D8D6_2_00924D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00914F8E6_2_00914F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00927BB26_2_00927BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092B1B56_2_0092B1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091BFB66_2_0091BFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00922FA26_2_00922FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00929DA16_2_00929DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00924BAA6_2_00924BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091A3DF6_2_0091A3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009325C36_2_009325C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00916FC46_2_00916FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009303F16_2_009303F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091C5FE6_2_0091C5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009155E86_2_009155E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092BFE86_2_0092BFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092FD106_2_0092FD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091251C6_2_0091251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009135026_2_00913502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009123096_2_00912309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00930B346_2_00930B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009159236_2_00915923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00916B256_2_00916B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0093292B6_2_0093292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091C1586_2_0091C158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00913F5C6_2_00913F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009313436_2_00931343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009133456_2_00913345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092F14D6_2_0092F14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092577E6_2_0092577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092056A6_2_0092056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00921F6B6_2_00921F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9CAA89_2_00F9CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8441E9_2_00F8441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F943B39_2_00F943B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9A8F09_2_00F9A8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9DEF49_2_00F9DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F830F69_2_00F830F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9AEEB9_2_00F9AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9ECE39_2_00F9ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F90ADE9_2_00F90ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F97ED19_2_00F97ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00FA08D19_2_00FA08D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9CCD49_2_00F9CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9BEC99_2_00F9BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F990BA9_2_00F990BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F998BD9_2_00F998BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F85AB29_2_00F85AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F944AA9_2_00F944AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8DAAE9_2_00F8DAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8FEA09_2_00F8FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F978A59_2_00F978A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9D6A79_2_00F9D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9AC9B9_2_00F9AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9D0919_2_00F9D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F83C919_2_00F83C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8AC959_2_00F8AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F94E8A9_2_00F94E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9748A9_2_00F9748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8CC8D9_2_00F8CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F872839_2_00F87283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00FA06879_2_00FA0687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F81C769_2_00F81C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9406E9_2_00F9406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F826549_2_00F82654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F89A579_2_00F89A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8A0489_2_00F8A048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9E4419_2_00F9E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F820439_2_00F82043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F838459_2_00F83845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F82A469_2_00F82A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9F83F9_2_00F9F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00FA1A3C9_2_00FA1A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F952209_2_00F95220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F89E229_2_00F89E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8D2239_2_00F8D223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8EC279_2_00F8EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8E21C9_2_00F8E21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8F41F9_2_00F8F41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F91C109_2_00F91C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F88C099_2_00F88C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F81A0A9_2_00F81A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8220A9_2_00F8220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F84C009_2_00F84C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8C5FE9_2_00F8C5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00FA03F19_2_00FA03F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F855E89_2_00F855E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9BFE89_2_00F9BFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8A3DF9_2_00F8A3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00FA25C39_2_00FA25C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F86FC49_2_00F86FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F97BB29_2_00F97BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9B1B59_2_00F9B1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8BFB69_2_00F8BFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F94BAA9_2_00F94BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F99DA19_2_00F99DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F92FA29_2_00F92FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9D99A9_2_00F9D99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8FD919_2_00F8FD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00FA11939_2_00FA1193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9B3979_2_00F9B397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F94D8D9_2_00F94D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F84F8E9_2_00F84F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8758F9_2_00F8758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F893849_2_00F89384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9577E9_2_00F9577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F91F6B9_2_00F91F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9056A9_2_00F9056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8C1589_2_00F8C158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F83F5C9_2_00F83F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9F14D9_2_00F9F14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00FA13439_2_00FA1343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F833459_2_00F83345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00FA0B349_2_00FA0B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00FA292B9_2_00FA292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F859239_2_00F85923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F86B259_2_00F86B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8251C9_2_00F8251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9FD109_2_00F9FD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F823099_2_00F82309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F835029_2_00F83502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031F0B3414_2_031F0B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031E577E14_2_031E577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031D758F14_2_031D758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031D938414_2_031D9384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031E4BAA14_2_031E4BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031E2FA214_2_031E2FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031DC5FE14_2_031DC5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCod