Loading ...

Play interactive tourEdit tour

Windows Analysis Report 5YO8hZg21O

Overview

General Information

Sample Name:5YO8hZg21O (renamed file extension from none to dll)
Analysis ID:524860
MD5:5396135926f3d561823702e15191897a
SHA1:d69e5939a0fdac94d31fb7c782727e9e8bced2a0
SHA256:ac0c7a80d4eaf440526bd4b902e31bac13c09c94ca946dbd5591fd7c09d668f2
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Multi AV Scanner detection for domain / URL
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6668 cmdline: loaddll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 6736 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6792 cmdline: rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 7140 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6780 cmdline: rundll32.exe C:\Users\user\Desktop\5YO8hZg21O.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 772 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kcjcdjrdnmqurw\wsxegqzrq.heo",xBPZ MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 5732 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kcjcdjrdnmqurw\wsxegqzrq.heo",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6876 cmdline: rundll32.exe C:\Users\user\Desktop\5YO8hZg21O.dll,abziuleoxsborpb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6276 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7020 cmdline: rundll32.exe C:\Users\user\Desktop\5YO8hZg21O.dll,aejkroaebsbxdnkhb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6416 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 2528 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 6888 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4936 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2032 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4004 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7080 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1312 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.459119053.000000000341A000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000007.00000002.462364516.0000000002F9A000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000004.00000002.406496894.00000000034AA000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000001.00000002.462832524.0000000000B7A000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000010.00000002.869632887.00000000030FA000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.rundll32.exe.b44230.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              1.2.loaddll32.exe.b8b540.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                1.2.loaddll32.exe.b8b540.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  4.2.rundll32.exe.34c4df8.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    4.2.rundll32.exe.34c4df8.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 7 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Emotet RunDLL32 Process CreationShow sources
                      Source: Process startedAuthor: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",#1, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 6792, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL, ProcessId: 7140

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 1.2.loaddll32.exe.b8b540.0.raw.unpackMalware Configuration Extractor: Emotet {"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 5YO8hZg21O.dllVirustotal: Detection: 21%Perma Link
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: https://51.178.61.60/Virustotal: Detection: 9%Perma Link
                      Source: 5YO8hZg21O.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.6:49744 version: TLS 1.2
                      Source: 5YO8hZg21O.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6F1AD1EE FindFirstFileExA,1_2_6F1AD1EE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F1AD1EE FindFirstFileExA,3_2_6F1AD1EE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00EA1A80 FindFirstFileW,16_2_00EA1A80

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.6:49744 -> 51.178.61.60:443
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 51.178.61.60 187Jump to behavior
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 51.178.61.60:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 45.79.33.48:8080
                      Source: Malware configuration extractorIPs: 196.44.98.190:8080
                      Source: Malware configuration extractorIPs: 177.72.80.14:7080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.169.10:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: EcobandGH EcobandGH
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: GET /GQAhghQYtMriyhSsHMSeUCAGKsKrpTqI HTTP/1.1Cookie: BVq=wHBtME3BTvrsq6ERaxvqV74K175PcHA24bIWLDvPLoS1yKbr56Te7Vwjn8yCzOb5uzKJ+NM/RhoV/mJ/gEOd2piZqQlfbkOPLRNqvIQh34bv6jYQ4eiZWAF5phOpnxaIL7NaJmqh2Rh3BnY6Al2CP1ZA3YwrRE+JwhxIfOAtxkeWKcmFs+sB1vzHELNH5hCfiAG33DpQULpyZwsTzH1N2WMTRxF8XKCrAEZVjYtSxpcgZyxbIS111PWiNLscb+HuEFGnWkXsxMJgHhIGJCK0WJlO7KRDP6W4uiWwbI3Rqiedq147jj+TLE3bLUWRJYyiP8n0GEM=Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 196.44.98.190 196.44.98.190
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: svchost.exe, 0000001B.00000003.735530689.000001D765D6C000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z||.||2bbf585d-742f-4e5f-bf99-34064e28fbbf||1152921505694183347||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 0000001B.00000003.735530689.000001D765D6C000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z||.||2bbf585d-742f-4e5f-bf99-34064e28fbbf||1152921505694183347||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: rundll32.exe, 00000010.00000003.534280239.0000000003193000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.862885542.000001B689888000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.753661447.000001D765D00000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000011.00000002.862795195.000001B689815000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.753661447.000001D765D00000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 0000001B.00000002.753863397.000001D765D6C000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: rundll32.exe, 00000010.00000002.869671653.000000000314A000.00000004.00000020.sdmpString found in binary or memory: https://51.178.61.60/
                      Source: rundll32.exe, 00000010.00000002.869671653.000000000314A000.00000004.00000020.sdmpString found in binary or memory: https://51.178.61.60/.Tw
                      Source: rundll32.exe, 00000010.00000002.869693856.0000000003173000.00000004.00000001.sdmpString found in binary or memory: https://51.178.61.60/GQAhghQYtMriyhSsHMSeUCAGKsKrpTqI
                      Source: rundll32.exe, 00000010.00000002.869632887.00000000030FA000.00000004.00000020.sdmpString found in binary or memory: https://51.178.61.60/GQAhghQYtMriyhSsHMSeUCAGKsKrpTqIT
                      Source: rundll32.exe, 00000010.00000002.869693856.0000000003173000.00000004.00000001.sdmpString found in binary or memory: https://51.178.61.60/GQAhghQYtMriyhSsHMSeUCAGKsKrpTqITg3
                      Source: svchost.exe, 0000001B.00000002.753863397.000001D765D6C000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 0000001B.00000003.740353956.000001D766202000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.740249361.000001D765D98000.00000004.00000001.sdmpString found in binary or memory: https://support.hotspotshield.com/
                      Source: svchost.exe, 0000001B.00000002.753863397.000001D765D6C000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 0000001B.00000002.753863397.000001D765D6C000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 0000001B.00000003.740353956.000001D766202000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.740249361.000001D765D98000.00000004.00000001.sdmpString found in binary or memory: https://www.hotspotshield.com/terms/
                      Source: svchost.exe, 0000001B.00000003.740353956.000001D766202000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.740249361.000001D765D98000.00000004.00000001.sdmpString found in binary or memory: https://www.pango.co/privacy
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00EB1027 InternetReadFile,16_2_00EB1027
                      Source: global trafficHTTP traffic detected: GET /GQAhghQYtMriyhSsHMSeUCAGKsKrpTqI HTTP/1.1Cookie: BVq=wHBtME3BTvrsq6ERaxvqV74K175PcHA24bIWLDvPLoS1yKbr56Te7Vwjn8yCzOb5uzKJ+NM/RhoV/mJ/gEOd2piZqQlfbkOPLRNqvIQh34bv6jYQ4eiZWAF5phOpnxaIL7NaJmqh2Rh3BnY6Al2CP1ZA3YwrRE+JwhxIfOAtxkeWKcmFs+sB1vzHELNH5hCfiAG33DpQULpyZwsTzH1N2WMTRxF8XKCrAEZVjYtSxpcgZyxbIS111PWiNLscb+HuEFGnWkXsxMJgHhIGJCK0WJlO7KRDP6W4uiWwbI3Rqiedq147jj+TLE3bLUWRJYyiP8n0GEM=Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.6:49744 version: TLS 1.2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6F185EE0 GetClipboardViewer,GetClipboardViewer,GetSystemDefaultLangID,GetOpenClipboardWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetCurrentThread,GetForegroundWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,AnyPopup,GetUserDefaultUILanguage,GetUserDefaultUILanguage,GetCurrentThread,GetCurrentThread,GetErrorMode,GetErrorMode,GetThreadErrorMode,1_2_6F185EE0

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 9.2.rundll32.exe.b44230.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.b8b540.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.b8b540.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.34c4df8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.34c4df8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.34343b8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.b44230.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.3114f88.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.34343b8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.2fb4358.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.3114f88.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.2fb4358.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.459119053.000000000341A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.462364516.0000000002F9A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.406496894.00000000034AA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.462832524.0000000000B7A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.869632887.00000000030FA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.471606182.0000000000B2A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.458372363.00000000032B5000.00000004.00000020.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: 5YO8hZg21O.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Kcjcdjrdnmqurw\wsxegqzrq.heo:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Kcjcdjrdnmqurw\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CACAA81_2_00CACAA8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C9441E1_2_00C9441E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CA43B31_2_00CA43B3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CABEC91_2_00CABEC9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CA0ADE1_2_00CA0ADE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CB08D11_2_00CB08D1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CA7ED11_2_00CA7ED1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CACCD41_2_00CACCD4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CAAEEB1_2_00CAAEEB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CAECE31_2_00CAECE3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CAA8F01_2_00CAA8F0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CADEF41_2_00CADEF4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C930F61_2_00C930F6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CA4E8A1_2_00CA4E8A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CA748A1_2_00CA748A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C9CC8D1_2_00C9CC8D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C972831_2_00C97283
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CB06871_2_00CB0687
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CAAC9B1_2_00CAAC9B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C93C911_2_00C93C91
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CAD0911_2_00CAD091
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C9AC951_2_00C9AC95
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CA44AA1_2_00CA44AA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C9DAAE1_2_00C9DAAE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C9FEA01_2_00C9FEA0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CAD6A71_2_00CAD6A7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CA78A51_2_00CA78A5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CA90BA1_2_00CA90BA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CA98BD1_2_00CA98BD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C95AB21_2_00C95AB2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C9A0481_2_00C9A048
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C920431_2_00C92043
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CAE4411_2_00CAE441
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C938451_2_00C93845
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C92A461_2_00C92A46
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C926541_2_00C92654
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C99A571_2_00C99A57
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CA406E1_2_00CA406E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C91C761_2_00C91C76
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C98C091_2_00C98C09
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C91A0A1_2_00C91A0A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C9220A1_2_00C9220A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C94C001_2_00C94C00
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C9E21C1_2_00C9E21C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C9F41F1_2_00C9F41F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CA1C101_2_00CA1C10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CA52201_2_00CA5220
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C9D2231_2_00C9D223
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C99E221_2_00C99E22
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C9EC271_2_00C9EC27
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CAF83F1_2_00CAF83F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CB1A3C1_2_00CB1A3C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CB25C31_2_00CB25C3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C96FC41_2_00C96FC4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C9A3DF1_2_00C9A3DF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C955E81_2_00C955E8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CABFE81_2_00CABFE8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C9C5FE1_2_00C9C5FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CB03F11_2_00CB03F1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C9758F1_2_00C9758F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CA4D8D1_2_00CA4D8D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C94F8E1_2_00C94F8E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C993841_2_00C99384
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CAD99A1_2_00CAD99A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CB11931_2_00CB1193
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C9FD911_2_00C9FD91
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CAB3971_2_00CAB397
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CA4BAA1_2_00CA4BAA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CA2FA21_2_00CA2FA2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CA9DA11_2_00CA9DA1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CA7BB21_2_00CA7BB2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CAB1B51_2_00CAB1B5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C9BFB61_2_00C9BFB6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CAF14D1_2_00CAF14D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CB13431_2_00CB1343
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C933451_2_00C93345
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C9C1581_2_00C9C158
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C93F5C1_2_00C93F5C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CA056A1_2_00CA056A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CA1F6B1_2_00CA1F6B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C923091_2_00C92309
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C935021_2_00C93502
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C9251C1_2_00C9251C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CAFD101_2_00CAFD10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CB292B1_2_00CB292B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C959231_2_00C95923
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C96B251_2_00C96B25
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CB0B341_2_00CB0B34
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6F1857301_2_6F185730
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6F1866201_2_6F186620
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6F18F7001_2_6F18F700
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6F1A37801_2_6F1A3780
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6F1AC6FE1_2_6F1AC6FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6F185EE01_2_6F185EE0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6F19DC5D1_2_6F19DC5D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6F191CD01_2_6F191CD0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6F19DA2D1_2_6F19DA2D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6F19A29D1_2_6F19A29D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6F182A801_2_6F182A80
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6F1B30741_2_6F1B3074
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0313056A3_2_0313056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0313D99A3_2_0313D99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_031293843_2_03129384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03137BB23_2_03137BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0312441E3_2_0312441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0312F41F3_2_0312F41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03124C003_2_03124C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_031220433_2_03122043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03122A463_2_03122A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_031238453_2_03123845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_031390BA3_2_031390BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0313CAA83_2_0313CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_031408D13_2_031408D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0313DEF43_2_0313DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0313ECE33_2_0313ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0313AEEB3_2_0313AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0313FD103_2_0313FD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0312251C3_2_0312251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_031235023_2_03123502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_031223093_2_03122309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03140B343_2_03140B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_031259233_2_03125923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03126B253_2_03126B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0314292B3_2_0314292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0312C1583_2_0312C158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03123F5C3_2_03123F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_031233453_2_03123345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_031413433_2_03141343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0313F14D3_2_0313F14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0313577E3_2_0313577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03131F6B3_2_03131F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0312FD913_2_0312FD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0313B3973_2_0313B397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_031411933_2_03141193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03124F8E3_2_03124F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0312758F3_2_0312758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03134D8D3_2_03134D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_031343B33_2_031343B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0312BFB63_2_0312BFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0313B1B53_2_0313B1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03132FA23_2_03132FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03139DA13_2_03139DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03134BAA3_2_03134BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0312A3DF3_2_0312A3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03126FC43_2_03126FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_031425C33_2_031425C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_031403F13_2_031403F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0312C5FE3_2_0312C5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_031255E83_2_031255E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0313BFE83_2_0313BFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03131C103_2_03131C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0312E21C3_2_0312E21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03121A0A3_2_03121A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0312220A3_2_0312220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03128C093_2_03128C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03141A3C3_2_03141A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0313F83F3_2_0313F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03129E223_2_03129E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0312D2233_2_0312D223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_031352203_2_03135220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0312EC273_2_0312EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03129A573_2_03129A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_031226543_2_03122654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0313E4413_2_0313E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0312A0483_2_0312A048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03121C763_2_03121C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0313406E3_2_0313406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0313D0913_2_0313D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03123C913_2_03123C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0312AC953_2_0312AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0313AC9B3_2_0313AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_031272833_2_03127283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_031406873_2_03140687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03134E8A3_2_03134E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0313748A3_2_0313748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0312CC8D3_2_0312CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03125AB23_2_03125AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_031398BD3_2_031398BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0312FEA03_2_0312FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0313D6A73_2_0313D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_031378A53_2_031378A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_031344AA3_2_031344AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0312DAAE3_2_0312DAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03137ED13_2_03137ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0313CCD43_2_0313CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03130ADE3_2_03130ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0313BEC93_2_0313BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0313A8F03_2_0313A8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_031230F63_2_031230F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F1857303_2_6F185730
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F1866203_2_6F186620
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F18F7003_2_6F18F700
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F1A37803_2_6F1A3780
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F1AC6FE3_2_6F1AC6FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F185EE03_2_6F185EE0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F19DC5D3_2_6F19DC5D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F197C473_2_6F197C47
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F191CD03_2_6F191CD0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F19DA2D3_2_6F19DA2D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F19A29D3_2_6F19A29D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F182A803_2_6F182A80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F1B19293_2_6F1B1929
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F1B30743_2_6F1B3074
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033243B35_2_033243B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0331441E5_2_0331441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0332CAA85_2_0332CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03330B345_2_03330B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033159235_2_03315923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03316B255_2_03316B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0333292B5_2_0333292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0332FD105_2_0332FD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0331251C5_2_0331251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033135025_2_03313502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033123095_2_03312309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0332577E5_2_0332577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0332056A5_2_0332056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03321F6B5_2_03321F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0331C1585_2_0331C158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03313F5C5_2_03313F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033313435_2_03331343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033133455_2_03313345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0332F14D5_2_0332F14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03327BB25_2_03327BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0332B1B55_2_0332B1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0331BFB65_2_0331BFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03322FA25_2_03322FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03329DA15_2_03329DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03324BAA5_2_03324BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0331FD915_2_0331FD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033311935_2_03331193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0332B3975_2_0332B397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0332D99A5_2_0332D99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033193845_2_03319384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0331758F5_2_0331758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03324D8D5_2_03324D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03314F8E5_2_03314F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033303F15_2_033303F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0331C5FE5_2_0331C5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033155E85_2_033155E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0332BFE85_2_0332BFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0331A3DF5_2_0331A3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033325C35_2_033325C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03316FC45_2_03316FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0332F83F5_2_0332F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03331A3C5_2_03331A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033252205_2_03325220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0331D2235_2_0331D223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03319E225_2_03319E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0331EC275_2_0331EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03321C105_2_03321C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0331E21C5_2_0331E21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0331F41F5_2_0331F41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03314C005_2_03314C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03318C095_2_03318C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03311A0A5_2_03311A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0331220A5_2_0331220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03311C765_2_03311C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0332406E5_2_0332406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033126545_2_03312654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03319A575_2_03319A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033120435_2_03312043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0332E4415_2_0332E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033138455_2_03313845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03312A465_2_03312A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0331A0485_2_0331A048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03315AB25_2_03315AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033290BA5_2_033290BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033298BD5_2_033298BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0331FEA05_2_0331FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0332D6A75_2_0332D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033278A55_2_033278A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033244AA5_2_033244AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0331DAAE5_2_0331DAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03313C915_2_03313C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0332D0915_2_0332D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0331AC955_2_0331AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0332AC9B5_2_0332AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033172835_2_03317283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033306875_2_03330687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03324E8A5_2_03324E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0332748A5_2_0332748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0331CC8D5_2_0331CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0332A8F05_2_0332A8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0332DEF45_2_0332DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033130F65_2_033130F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0332ECE35_2_0332ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0332AEEB5_2_0332AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_033308D15_2_033308D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03327ED15_2_03327ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0332CCD45_2_0332CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03320ADE5_2_03320ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0332BEC95_2_0332BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B0CAA89_2_00B0CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AF441E9_2_00AF441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B043B39_2_00B043B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AFDAAE9_2_00AFDAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B090BA9_2_00B090BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B098BD9_2_00B098BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AFFEA09_2_00AFFEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B078A59_2_00B078A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B0D6A79_2_00B0D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B044AA9_2_00B044AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AF5AB29_2_00AF5AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B0D0919_2_00B0D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AFCC8D9_2_00AFCC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B0AC9B9_2_00B0AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AF72839_2_00AF7283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B106879_2_00B10687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B04E8A9_2_00B04E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B0748A9_2_00B0748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AFAC959_2_00AFAC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AF3C919_2_00AF3C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B0A8F09_2_00B0A8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B0DEF49_2_00B0DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B0ECE39_2_00B0ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AF30F69_2_00AF30F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B0AEEB9_2_00B0AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B108D19_2_00B108D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B07ED19_2_00B07ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B0CCD49_2_00B0CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B00ADE9_2_00B00ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B0BEC99_2_00B0BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AFEC279_2_00AFEC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AFD2239_2_00AFD223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AF9E229_2_00AF9E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B11A3C9_2_00B11A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B0F83F9_2_00B0F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B052209_2_00B05220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B01C109_2_00B01C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AF1A0A9_2_00AF1A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AF220A9_2_00AF220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AF8C099_2_00AF8C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AF4C009_2_00AF4C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AFF41F9_2_00AFF41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AFE21C9_2_00AFE21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AF1C769_2_00AF1C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B0406E9_2_00B0406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AFA0489_2_00AFA048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AF2A469_2_00AF2A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AF38459_2_00AF3845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AF20439_2_00AF2043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B0E4419_2_00B0E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AF9A579_2_00AF9A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AF26549_2_00AF2654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B07BB29_2_00B07BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B0B1B59_2_00B0B1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B09DA19_2_00B09DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B02FA29_2_00B02FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AFBFB69_2_00AFBFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B04BAA9_2_00B04BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AF758F9_2_00AF758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AF4F8E9_2_00AF4F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B111939_2_00B11193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B0B3979_2_00B0B397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B0D99A9_2_00B0D99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AF93849_2_00AF9384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B04D8D9_2_00B04D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AFFD919_2_00AFFD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B103F19_2_00B103F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AF55E89_2_00AF55E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AFC5FE9_2_00AFC5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B0BFE89_2_00B0BFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AF6FC49_2_00AF6FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AFA3DF9_2_00AFA3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B125C39_2_00B125C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B10B349_2_00B10B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AF6B259_2_00AF6B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AF59239_2_00AF5923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B1292B9_2_00B1292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B0FD109_2_00B0FD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AF23099_2_00AF2309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AF35029_2_00AF3502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AF251C9_2_00AF251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B0577E9_2_00B0577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B0056A9_2_00B0056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B01F6B9_2_00B01F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AF33459_2_00AF3345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00B113439_2_00B11343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AF3F5C9_2_00AF3F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00AFC1589_2_00AFC158
                      Source: C:\Windows\SysWOW64\r