Loading ...

Play interactive tourEdit tour

Windows Analysis Report wNjqkrm8pH

Overview

General Information

Sample Name:wNjqkrm8pH (renamed file extension from none to dll)
Analysis ID:524862
MD5:699b39c805f6a366707eb9a0e580bc0d
SHA1:04489a4c9d50b62a9ff16f5baa67f568b2eb46ed
SHA256:142d330305cf2bba895b000b9c7c2da6c6b38cb728d3fb347da8dd9f0bed4845
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6164 cmdline: loaddll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 2804 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5940 cmdline: rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 2944 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6280 cmdline: rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 672 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hsngzdtsiohsyp\jlodhhplzusb.iie",cwqsUWjgRvl MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6388 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Hsngzdtsiohsyp\jlodhhplzusb.iie",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6416 cmdline: rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,abziuleoxsborpb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6828 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6420 cmdline: rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,aejkroaebsbxdnkhb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 1304 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6848 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 5932 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5416 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2276 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2236 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.352402052.000000000344A000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000000.00000002.415487729.000000000117D000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000005.00000002.413760673.0000000000D1A000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000007.00000002.426884632.000000000328A000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000004.00000002.415304095.00000000032EA000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.rundll32.exe.3304250.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              5.2.rundll32.exe.d341f8.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                3.2.rundll32.exe.3464320.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  5.2.rundll32.exe.d341f8.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    7.2.rundll32.exe.32a6388.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 5 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Emotet RunDLL32 Process CreationShow sources
                      Source: Process startedAuthor: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",#1, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 5940, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL, ProcessId: 2944

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 2.2.rundll32.exe.e45298.1.raw.unpackMalware Configuration Extractor: Emotet {"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: wNjqkrm8pH.dllVirustotal: Detection: 24%Perma Link
                      Source: wNjqkrm8pH.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.3:49747 version: TLS 1.2
                      Source: wNjqkrm8pH.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9DD1EE FindFirstFileExA,0_2_6E9DD1EE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9DD1EE FindFirstFileExA,2_2_6E9DD1EE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EB1A80 FindFirstFileW,14_2_00EB1A80

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.3:49747 -> 51.178.61.60:443
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 51.178.61.60 187Jump to behavior
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 51.178.61.60:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 45.79.33.48:8080
                      Source: Malware configuration extractorIPs: 196.44.98.190:8080
                      Source: Malware configuration extractorIPs: 177.72.80.14:7080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.169.10:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: EcobandGH EcobandGH
                      Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: GET /BJKdnuOnKNLLGEDBpJpeXPiWYvJQgGvoYhhdIpnN HTTP/1.1Cookie: kpcXAWpZfRkJEAy=i+5bJ+1ZInDjvfPM+1JhKt+KWj8rVMERTO3MBxIOillAvxAx2ioHmQPbtLgNLA6EGFRwLshnv6kCnZWyIXAgbMZzd1u5zeY7pIcnc7NYlk4ptgX0JiJVkIXW1dfaYySomVYPcSiwpIcomQgIb/a5XevS7QE2etUd+zxfOWZFj62QjzAO7FAj4VKuBSkPo+IBUjmiQKTNcL09qokscyBsIQcAMaCCPfrdl8uN2W5z+g+7Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 196.44.98.190 196.44.98.190
                      Source: Joe Sandbox ViewIP Address: 78.46.73.125 78.46.73.125
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: svchost.exe, 00000019.00000003.612262816.0000025AA9597000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z||.||2bbf585d-742f-4e5f-bf99-34064e28fbbf||1152921505694183347||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 00000019.00000003.612262816.0000025AA9597000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z||.||2bbf585d-742f-4e5f-bf99-34064e28fbbf||1152921505694183347||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 00000019.00000002.631623148.0000025AA8CEB000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000019.00000002.631623148.0000025AA8CEB000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 00000019.00000002.631915215.0000025AA9572000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606542705.0000025AA959A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606523146.0000025AA958A000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 00000019.00000002.631915215.0000025AA9572000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606542705.0000025AA959A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606523146.0000025AA958A000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000019.00000002.631915215.0000025AA9572000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606542705.0000025AA959A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606523146.0000025AA958A000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000019.00000002.631915215.0000025AA9572000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606542705.0000025AA959A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606523146.0000025AA958A000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000019.00000003.607542266.0000025AA9575000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.607594577.0000025AA9599000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EC1027 InternetReadFile,14_2_00EC1027
                      Source: global trafficHTTP traffic detected: GET /BJKdnuOnKNLLGEDBpJpeXPiWYvJQgGvoYhhdIpnN HTTP/1.1Cookie: kpcXAWpZfRkJEAy=i+5bJ+1ZInDjvfPM+1JhKt+KWj8rVMERTO3MBxIOillAvxAx2ioHmQPbtLgNLA6EGFRwLshnv6kCnZWyIXAgbMZzd1u5zeY7pIcnc7NYlk4ptgX0JiJVkIXW1dfaYySomVYPcSiwpIcomQgIb/a5XevS7QE2etUd+zxfOWZFj62QjzAO7FAj4VKuBSkPo+IBUjmiQKTNcL09qokscyBsIQcAMaCCPfrdl8uN2W5z+g+7Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.3:49747 version: TLS 1.2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9B5EE0 GetClipboardViewer,GetClipboardViewer,GetSystemDefaultLangID,GetOpenClipboardWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetCurrentThread,GetForegroundWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,AnyPopup,GetUserDefaultUILanguage,GetUserDefaultUILanguage,GetCurrentThread,GetCurrentThread,GetErrorMode,GetErrorMode,GetThreadErrorMode,0_2_6E9B5EE0

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 4.2.rundll32.exe.3304250.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.d341f8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3464320.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.d341f8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.32a6388.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.e45298.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.3304250.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3464320.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.32a6388.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.e45298.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.352402052.000000000344A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.415487729.000000000117D000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.413760673.0000000000D1A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.426884632.000000000328A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.415304095.00000000032EA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.816631755.0000000000C67000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.352283785.0000000000E2A000.00000004.00000020.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: wNjqkrm8pH.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Hsngzdtsiohsyp\jlodhhplzusb.iie:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Hsngzdtsiohsyp\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010543B30_2_010543B3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104441E0_2_0104441E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105CAA80_2_0105CAA8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010435020_2_01043502
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010423090_2_01042309
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105FD100_2_0105FD10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104251C0_2_0104251C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01046B250_2_01046B25
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010459230_2_01045923
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0106292B0_2_0106292B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01060B340_2_01060B34
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010433450_2_01043345
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010613430_2_01061343
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105F14D0_2_0105F14D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01043F5C0_2_01043F5C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104C1580_2_0104C158
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01051F6B0_2_01051F6B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105056A0_2_0105056A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105577E0_2_0105577E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010493840_2_01049384
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01054D8D0_2_01054D8D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01044F8E0_2_01044F8E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104758F0_2_0104758F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105B3970_2_0105B397
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104FD910_2_0104FD91
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010611930_2_01061193
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105D99A0_2_0105D99A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01059DA10_2_01059DA1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01052FA20_2_01052FA2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01054BAA0_2_01054BAA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105B1B50_2_0105B1B5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104BFB60_2_0104BFB6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01057BB20_2_01057BB2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01046FC40_2_01046FC4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010625C30_2_010625C3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104A3DF0_2_0104A3DF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105BFE80_2_0105BFE8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010603F10_2_010603F1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104C5FE0_2_0104C5FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01044C000_2_01044C00
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01048C090_2_01048C09
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01041A0A0_2_01041A0A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104220A0_2_0104220A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01051C100_2_01051C10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104E21C0_2_0104E21C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104F41F0_2_0104F41F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104EC270_2_0104EC27
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010552200_2_01055220
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01049E220_2_01049E22
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104D2230_2_0104D223
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105F83F0_2_0105F83F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01061A3C0_2_01061A3C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010438450_2_01043845
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01042A460_2_01042A46
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105E4410_2_0105E441
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010420430_2_01042043
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104A0480_2_0104A048
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010426540_2_01042654
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01049A570_2_01049A57
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105406E0_2_0105406E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01041C760_2_01041C76
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010606870_2_01060687
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010472830_2_01047283
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104CC8D0_2_0104CC8D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01054E8A0_2_01054E8A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105748A0_2_0105748A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104AC950_2_0104AC95
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105D0910_2_0105D091
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01043C910_2_01043C91
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105AC9B0_2_0105AC9B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010578A50_2_010578A5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105D6A70_2_0105D6A7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104FEA00_2_0104FEA0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010544AA0_2_010544AA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01045AB20_2_01045AB2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010598BD0_2_010598BD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010590BA0_2_010590BA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105BEC90_2_0105BEC9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105CCD40_2_0105CCD4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01057ED10_2_01057ED1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010608D10_2_010608D1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01050ADE0_2_01050ADE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105ECE30_2_0105ECE3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105AEEB0_2_0105AEEB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105DEF40_2_0105DEF4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010430F60_2_010430F6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9B66200_2_6E9B6620
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9B57300_2_6E9B5730
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9DC6FE0_2_6E9DC6FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9B5EE00_2_6E9B5EE0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9CA60F0_2_6E9CA60F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9CAE3B0_2_6E9CAE3B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9D37800_2_6E9D3780
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9BF7000_2_6E9BF700
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9C1CD00_2_6E9C1CD0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9CDC5D0_2_6E9CDC5D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9C7C470_2_6E9C7C47
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9CA29D0_2_6E9CA29D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9B2A800_2_6E9B2A80
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9CDA2D0_2_6E9CDA2D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9CAB800_2_6E9CAB80
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9CA8B90_2_6E9CA8B9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9E30740_2_6E9E3074
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9CA1F00_2_6E9CA1F0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9E19290_2_6E9E1929
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D108D12_2_00D108D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0DEF42_2_00D0DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0ECE32_2_00D0ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0AEEB2_2_00D0AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D090BA2_2_00D090BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0CAA82_2_00D0CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF2A462_2_00CF2A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF38452_2_00CF3845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF20432_2_00CF2043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF4C002_2_00CF4C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CFF41F2_2_00CFF41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF441E2_2_00CF441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0D99A2_2_00D0D99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF93842_2_00CF9384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D07BB22_2_00D07BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0056A2_2_00D0056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D07ED12_2_00D07ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0CCD42_2_00D0CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D00ADE2_2_00D00ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0BEC92_2_00D0BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0A8F02_2_00D0A8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF30F62_2_00CF30F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0D0912_2_00D0D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CFCC8D2_2_00CFCC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0AC9B2_2_00D0AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF72832_2_00CF7283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D106872_2_00D10687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D04E8A2_2_00D04E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0748A2_2_00D0748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CFAC952_2_00CFAC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF3C912_2_00CF3C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CFDAAE2_2_00CFDAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D098BD2_2_00D098BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CFFEA02_2_00CFFEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D078A52_2_00D078A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0D6A72_2_00D0D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D044AA2_2_00D044AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF5AB22_2_00CF5AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CFA0482_2_00CFA048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0E4412_2_00D0E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF9A572_2_00CF9A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF26542_2_00CF2654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF1C762_2_00CF1C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0406E2_2_00D0406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D01C102_2_00D01C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF1A0A2_2_00CF1A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF220A2_2_00CF220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF8C092_2_00CF8C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CFE21C2_2_00CFE21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CFEC272_2_00CFEC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CFD2232_2_00CFD223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF9E222_2_00CF9E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D11A3C2_2_00D11A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0F83F2_2_00D0F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D052202_2_00D05220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF6FC42_2_00CF6FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CFA3DF2_2_00CFA3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D125C32_2_00D125C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D103F12_2_00D103F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF55E82_2_00CF55E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CFC5FE2_2_00CFC5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0BFE82_2_00D0BFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF758F2_2_00CF758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF4F8E2_2_00CF4F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D111932_2_00D11193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0B3972_2_00D0B397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D04D8D2_2_00D04D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CFFD912_2_00CFFD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D043B32_2_00D043B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0B1B52_2_00D0B1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D09DA12_2_00D09DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D02FA22_2_00D02FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CFBFB62_2_00CFBFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D04BAA2_2_00D04BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF33452_2_00CF3345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D113432_2_00D11343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF3F5C2_2_00CF3F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CFC1582_2_00CFC158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0F14D2_2_00D0F14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0577E2_2_00D0577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D01F6B2_2_00D01F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0FD102_2_00D0FD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF23092_2_00CF2309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF35022_2_00CF3502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF251C2_2_00CF251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D10B342_2_00D10B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF6B252_2_00CF6B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF59232_2_00CF5923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D1292B2_2_00D1292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9B66202_2_6E9B6620
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9B57302_2_6E9B5730
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9DC6FE2_2_6E9DC6FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9B5EE02_2_6E9B5EE0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9D37802_2_6E9D3780
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9BF7002_2_6E9BF700
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9C1CD02_2_6E9C1CD0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9CDC5D2_2_6E9CDC5D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9C7C472_2_6E9C7C47
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9CA29D2_2_6E9CA29D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9B2A802_2_6E9B2A80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9CDA2D2_2_6E9CDA2D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9E30742_2_6E9E3074
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9E19292_2_6E9E1929
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032443B33_2_032443B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323441E3_2_0323441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324CAA83_2_0324CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032359233_2_03235923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03236B253_2_03236B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0325292B3_2_0325292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03250B343_2_03250B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032335023_2_03233502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032323093_2_03232309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324FD103_2_0324FD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323251C3_2_0323251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324056A3_2_0324056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03241F6B3_2_03241F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324577E3_2_0324577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032333453_2_03233345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032513433_2_03251343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324F14D3_2_0324F14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323C1583_2_0323C158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03233F5C3_2_03233F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03249DA13_2_03249DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03242FA23_2_03242FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03244BAA3_2_03244BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324B1B53_2_0324B1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323BFB63_2_0323BFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03247BB23_2_03247BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032393843_2_03239384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03244D8D3_2_03244D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323758F3_2_0323758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03234F8E3_2_03234F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323FD913_2_0323FD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324B3973_2_0324B397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032511933_2_03251193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324D99A3_2_0324D99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324BFE83_2_0324BFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032503F13_2_032503F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323C5FE3_2_0323C5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032525C33_2_032525C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03236FC43_2_03236FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323A3DF3_2_0323A3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323D2233_2_0323D223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03239E223_2_03239E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032452203_2_03245220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323EC273_2_0323EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03251A3C3_2_03251A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324F83F3_2_0324F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03234C003_2_03234C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03231A0A3_2_03231A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323220A3_2_0323220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03238C093_2_03238C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03241C103_2_03241C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323F41F3_2_0323F41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323E21C3_2_0323E21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324406E3_2_0324406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03231C763_2_03231C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032320433_2_03232043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03232A463_2_03232A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324E4413_2_0324E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032338453_2_03233845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323A0483_2_0323A048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03239A573_2_03239A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032326543_2_03232654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032478A53_2_032478A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323FEA03_2_0323FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324D6A73_2_0324D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032444AA3_2_032444AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03235AB23_2_03235AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032498BD3_2_032498BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032490BA3_2_032490BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032372833_2_03237283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032506873_2_03250687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03244E8A3_2_03244E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324748A3_2_0324748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323CC8D3_2_0323CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03233C913_2_03233C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324D0913_2_0324D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323AC953_2_0323AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324AC9B3_2_0324AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324ECE33_2_0324ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324AEEB3_2_0324AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324DEF43_2_0324DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032330F63_2_032330F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324BEC93_2_0324BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324CCD43_2_0324CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032508D13_2_032508D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03247ED13_2_03247ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03240ADE3_2_03240ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B3CAA85_2_00B3CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B2441E5_2_00B2441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B343B35_2_00B343B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B25AB25_2_00B25AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B390BA5_2_00B390BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B398BD5_2_00B398BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B2FEA05_2_00B2FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B3D6A75_2_00B3D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B378A55_2_00B378A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B344AA5_2_00B344AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B3D0915_2_00B3D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B23C915_2_00B23C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B2AC955_2_00B2AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B3AC9B5_2_00B3AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B272835_2_00B27283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B406875_2_00B40687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B34E8A5_2_00B34E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B3748A5_2_00B3748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B2CC8D5_2_00B2CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B230F65_2_00B230F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B3DEF45_2_00B3DEF4
                      Source: