Loading ...

Play interactive tourEdit tour

Windows Analysis Report GQwxmGZFvtg.dll

Overview

General Information

Sample Name:GQwxmGZFvtg.dll
Analysis ID:525020
MD5:3ecb8e8c0baaa4acf5ca647a29ad2989
SHA1:5de0548c74dd501454c949dc13a7a4e37e35aceb
SHA256:7e4d240abe7a3835a088482d21e8f308c678035513631543e370f0f028a2f40e
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 3228 cmdline: loaddll32.exe "C:\Users\user\Desktop\GQwxmGZFvtg.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 4720 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\GQwxmGZFvtg.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 2932 cmdline: rundll32.exe "C:\Users\user\Desktop\GQwxmGZFvtg.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 5576 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GQwxmGZFvtg.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5244 cmdline: rundll32.exe C:\Users\user\Desktop\GQwxmGZFvtg.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 5480 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gbdnfdnwgwzcefyt\nlnmlmepgkdbq.udp",iHIeY MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 4928 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gbdnfdnwgwzcefyt\nlnmlmepgkdbq.udp",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6136 cmdline: rundll32.exe C:\Users\user\Desktop\GQwxmGZFvtg.dll,abziuleoxsborpb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 2224 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GQwxmGZFvtg.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 2016 cmdline: rundll32.exe C:\Users\user\Desktop\GQwxmGZFvtg.dll,aejkroaebsbxdnkhb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 2240 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GQwxmGZFvtg.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4544 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GQwxmGZFvtg.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 3716 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5320 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4128 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5740 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.1195922556.000000000319A000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000002.00000002.776937820.0000000002C55000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000008.00000002.829087525.0000000002B9A000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000004.00000002.792999078.0000000002F2A000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000003.00000002.776035801.000000000048A000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.rundll32.exe.2bb5280.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              4.2.rundll32.exe.2f443a8.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                3.2.rundll32.exe.4a4148.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  5.2.rundll32.exe.30f42a8.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    3.2.rundll32.exe.4a4148.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 7 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Emotet RunDLL32 Process CreationShow sources
                      Source: Process startedAuthor: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GQwxmGZFvtg.dll",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GQwxmGZFvtg.dll",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\GQwxmGZFvtg.dll",#1, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 2932, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\GQwxmGZFvtg.dll",Control_RunDLL, ProcessId: 5576

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.loaddll32.exe.f5c758.0.raw.unpackMalware Configuration Extractor: Emotet {"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: GQwxmGZFvtg.dllVirustotal: Detection: 18%Perma Link
                      Source: GQwxmGZFvtg.dllReversingLabs: Detection: 24%
                      Source: GQwxmGZFvtg.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.4:49774 version: TLS 1.2
                      Source: GQwxmGZFvtg.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E56D1EE FindFirstFileExA,2_2_6E56D1EE

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.4:49774 -> 51.178.61.60:443
                      Source: TrafficSnort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.4:49783 -> 168.197.250.14:80
                      Source: TrafficSnort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 168.197.250.14:80 -> 192.168.2.4:49783
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 168.197.250.14 80Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 51.178.61.60 187Jump to behavior
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 51.178.61.60:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 45.79.33.48:8080
                      Source: Malware configuration extractorIPs: 196.44.98.190:8080
                      Source: Malware configuration extractorIPs: 177.72.80.14:7080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.169.10:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: EcobandGH EcobandGH
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: GET /vIaXhjlEiVCJtvEYurwocvmNMaSkNlb HTTP/1.1Cookie: DGOfLuguTgt=UBN56B3QU+Tc+Xgq31bg3f9Hc8SeJtGwRW8cIQG0AjCXtu7IVNtnsz2CZP6/nHbvDL2M+GXz6pqgLLehfHZd2GGYpuU8uQKdmhGRacOnQW/ucq9cf8VNNBbQNPbhaJyv0XRSuZSYFPtFB7LZ1OorndJDYNrS7ph90Fj+KdcaTImxvaL1Qs5Z6UL4ThHUhcfK77E//BWfq9+pJEy7ddTtLK+8K0+70BY+tADtOTnA6uo2ueeAIbD3B8i85HcUUZx7mjc28/XQaTOUj2m814xjTOmgG7kxOyfQBdcReokKXCbScsmno86poBr9V773eA2kw1LMUwfEHost: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 196.44.98.190 196.44.98.190
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 168.197.250.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 168.197.250.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 168.197.250.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 168.197.250.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 168.197.250.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 168.197.250.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 168.197.250.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 168.197.250.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 168.197.250.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 168.197.250.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 168.197.250.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 168.197.250.14
                      Source: svchost.exe, 00000016.00000003.994810026.00000188A7590000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000016.00000003.994810026.00000188A7590000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000016.00000003.994825373.00000188A75A1000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z||.||2bbf585d-742f-4e5f-bf99-34064e28fbbf||1152921505694183347||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 00000016.00000003.994825373.00000188A75A1000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z||.||2bbf585d-742f-4e5f-bf99-34064e28fbbf||1152921505694183347||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: rundll32.exe, 0000000C.00000003.959543667.0000000003247000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.1010712858.00000188A7500000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: rundll32.exe, 0000000C.00000003.959543667.0000000003247000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.12.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: rundll32.exe, 0000000C.00000003.961336355.0000000005586000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0083cfa262775
                      Source: svchost.exe, 00000016.00000003.990393710.00000188A7590000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: rundll32.exe, 0000000C.00000003.959543667.0000000003247000.00000004.00000001.sdmpString found in binary or memory: https://168.197.250.14/
                      Source: rundll32.exe, 0000000C.00000003.959543667.0000000003247000.00000004.00000001.sdmpString found in binary or memory: https://168.197.250.14/GlobalSign
                      Source: rundll32.exe, 0000000C.00000003.959440225.0000000003231000.00000004.00000001.sdmpString found in binary or memory: https://168.197.250.14/rosoft
                      Source: rundll32.exe, 0000000C.00000003.959543667.0000000003247000.00000004.00000001.sdmpString found in binary or memory: https://168.197.250.14:80/
                      Source: rundll32.exe, 0000000C.00000003.959543667.0000000003247000.00000004.00000001.sdmpString found in binary or memory: https://168.197.250.14:80/D
                      Source: rundll32.exe, 0000000C.00000003.959543667.0000000003247000.00000004.00000001.sdmpString found in binary or memory: https://168.197.250.14:80/OtSInaOjcxTpmnaQwecTWVLWIJIlRyonuNIIpOexeLeibZsTuTWRBEaFrFZGFy
                      Source: rundll32.exe, 0000000C.00000003.959440225.0000000003231000.00000004.00000001.sdmpString found in binary or memory: https://168.197.250.14:80/OtSInaOjcxTpmnaQwecTWVLWIJIlRyonuNIIpOexeLeibZsTuTWRBEaFrFZGFy-0
                      Source: rundll32.exe, 0000000C.00000003.959543667.0000000003247000.00000004.00000001.sdmpString found in binary or memory: https://168.197.250.14:80/OtSInaOjcxTpmnaQwecTWVLWIJIlRyonuNIIpOexeLeibZsTuTWRBEaFrFZGFy3
                      Source: rundll32.exe, 0000000C.00000003.959543667.0000000003247000.00000004.00000001.sdmpString found in binary or memory: https://168.197.250.14:80/OtSInaOjcxTpmnaQwecTWVLWIJIlRyonuNIIpOexeLeibZsTuTWRBEaFrFZGFyKC
                      Source: rundll32.exe, 0000000C.00000003.959543667.0000000003247000.00000004.00000001.sdmpString found in binary or memory: https://168.197.250.14:80/W4
                      Source: rundll32.exe, 0000000C.00000003.957741992.0000000003231000.00000004.00000001.sdmpString found in binary or memory: https://51.178.61.60/vIaXhjlEiVCJtvEYurwocvmNMaSkNlb
                      Source: rundll32.exe, 0000000C.00000003.957741992.0000000003231000.00000004.00000001.sdmpString found in binary or memory: https://51.178.61.60/vIaXhjlEiVCJtvEYurwocvmNMaSkNlb9
                      Source: svchost.exe, 00000016.00000003.990393710.00000188A7590000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000016.00000003.990393710.00000188A7590000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000016.00000003.990393710.00000188A7590000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000016.00000003.992091612.00000188A7575000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.c
                      Source: svchost.exe, 00000016.00000003.991938156.00000188A7A02000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: global trafficHTTP traffic detected: GET /vIaXhjlEiVCJtvEYurwocvmNMaSkNlb HTTP/1.1Cookie: DGOfLuguTgt=UBN56B3QU+Tc+Xgq31bg3f9Hc8SeJtGwRW8cIQG0AjCXtu7IVNtnsz2CZP6/nHbvDL2M+GXz6pqgLLehfHZd2GGYpuU8uQKdmhGRacOnQW/ucq9cf8VNNBbQNPbhaJyv0XRSuZSYFPtFB7LZ1OorndJDYNrS7ph90Fj+KdcaTImxvaL1Qs5Z6UL4ThHUhcfK77E//BWfq9+pJEy7ddTtLK+8K0+70BY+tADtOTnA6uo2ueeAIbD3B8i85HcUUZx7mjc28/XQaTOUj2m814xjTOmgG7kxOyfQBdcReokKXCbScsmno86poBr9V773eA2kw1LMUwfEHost: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.4:49774 version: TLS 1.2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E545EE0 GetClipboardViewer,GetClipboardViewer,GetSystemDefaultLangID,GetOpenClipboardWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetCurrentThread,GetForegroundWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,AnyPopup,GetUserDefaultUILanguage,GetUserDefaultUILanguage,GetCurrentThread,GetCurrentThread,GetErrorMode,GetErrorMode,GetThreadErrorMode,2_2_6E545EE0

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 8.2.rundll32.exe.2bb5280.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2f443a8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4a4148.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.30f42a8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4a4148.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2f443a8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2bb5280.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.f5c758.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.31b4780.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.30f42a8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.31b4780.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.f5c758.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000C.00000002.1195922556.000000000319A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.776937820.0000000002C55000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.829087525.0000000002B9A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.792999078.0000000002F2A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.776035801.000000000048A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.795842266.00000000030DA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.796379773.0000000000F4A000.00000004.00000020.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: GQwxmGZFvtg.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Gbdnfdnwgwzcefyt\nlnmlmepgkdbq.udp:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Gbdnfdnwgwzcefyt\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014643B30_2_014643B3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0145441E0_2_0145441E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0146CAA80_2_0146CAA8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014533450_2_01453345
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014713430_2_01471343
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0146F14D0_2_0146F14D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01453F5C0_2_01453F5C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0145C1580_2_0145C158
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0146056A0_2_0146056A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01461F6B0_2_01461F6B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0146577E0_2_0146577E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014535020_2_01453502
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014523090_2_01452309
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0146FD100_2_0146FD10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0145251C0_2_0145251C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01456B250_2_01456B25
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014559230_2_01455923
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0147292B0_2_0147292B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01470B340_2_01470B34
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01456FC40_2_01456FC4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014725C30_2_014725C3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0145A3DF0_2_0145A3DF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014555E80_2_014555E8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0146BFE80_2_0146BFE8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014703F10_2_014703F1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0145C5FE0_2_0145C5FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014593840_2_01459384
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0145758F0_2_0145758F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01464D8D0_2_01464D8D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01454F8E0_2_01454F8E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0146B3970_2_0146B397
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0145FD910_2_0145FD91
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014711930_2_01471193
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0146D99A0_2_0146D99A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01462FA20_2_01462FA2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01469DA10_2_01469DA1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01464BAA0_2_01464BAA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0146B1B50_2_0146B1B5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0145BFB60_2_0145BFB6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01467BB20_2_01467BB2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014538450_2_01453845
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01452A460_2_01452A46
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014520430_2_01452043
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0146E4410_2_0146E441
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0145A0480_2_0145A048
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014526540_2_01452654
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01459A570_2_01459A57
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0146406E0_2_0146406E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01451C760_2_01451C76
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01454C000_2_01454C00
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01458C090_2_01458C09
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01451A0A0_2_01451A0A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0145220A0_2_0145220A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01461C100_2_01461C10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0145E21C0_2_0145E21C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0145F41F0_2_0145F41F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0145EC270_2_0145EC27
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014652200_2_01465220
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0145D2230_2_0145D223
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01459E220_2_01459E22
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0146F83F0_2_0146F83F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01471A3C0_2_01471A3C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0146BEC90_2_0146BEC9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0146CCD40_2_0146CCD4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014708D10_2_014708D1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01467ED10_2_01467ED1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01460ADE0_2_01460ADE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0146ECE30_2_0146ECE3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0146AEEB0_2_0146AEEB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0146DEF40_2_0146DEF4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014530F60_2_014530F6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0146A8F00_2_0146A8F0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014706870_2_01470687
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014572830_2_01457283
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0145CC8D0_2_0145CC8D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01464E8A0_2_01464E8A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0146748A0_2_0146748A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0145AC950_2_0145AC95
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01453C910_2_01453C91
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0146D0910_2_0146D091
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0146AC9B0_2_0146AC9B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0146D6A70_2_0146D6A7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014678A50_2_014678A5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0145FEA00_2_0145FEA0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0145DAAE0_2_0145DAAE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014644AA0_2_014644AA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01455AB20_2_01455AB2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014698BD0_2_014698BD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014690BA0_2_014690BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E5466202_2_6E546620
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E5457302_2_6E545730
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E56C6FE2_2_6E56C6FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E545EE02_2_6E545EE0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E54F7002_2_6E54F700
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E5637802_2_6E563780
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E55DC5D2_2_6E55DC5D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E551CD02_2_6E551CD0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E55DA2D2_2_6E55DA2D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E55A29D2_2_6E55A29D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E542A802_2_6E542A80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E5730742_2_6E573074
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E5719292_2_6E571929
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0069441E3_2_0069441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006ACAA83_2_006ACAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006A43B33_2_006A43B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006A406E3_2_006A406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00691C763_2_00691C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0069A0483_2_0069A048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006920433_2_00692043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006AE4413_2_006AE441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006938453_2_00693845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00692A463_2_00692A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006926543_2_00692654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00699A573_2_00699A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006A52203_2_006A5220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0069D2233_2_0069D223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00699E223_2_00699E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0069EC273_2_0069EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006AF83F3_2_006AF83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006B1A3C3_2_006B1A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00698C093_2_00698C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00691A0A3_2_00691A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0069220A3_2_0069220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00694C003_2_00694C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0069E21C3_2_0069E21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0069F41F3_2_0069F41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006A1C103_2_006A1C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006AAEEB3_2_006AAEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006AECE33_2_006AECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006AA8F03_2_006AA8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006ADEF43_2_006ADEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006930F63_2_006930F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006ABEC93_2_006ABEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006A0ADE3_2_006A0ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006B08D13_2_006B08D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006A7ED13_2_006A7ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006ACCD43_2_006ACCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006A44AA3_2_006A44AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0069DAAE3_2_0069DAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0069FEA03_2_0069FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006AD6A73_2_006AD6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006A78A53_2_006A78A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006A90BA3_2_006A90BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006A98BD3_2_006A98BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00695AB23_2_00695AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006A4E8A3_2_006A4E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006A748A3_2_006A748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0069CC8D3_2_0069CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006972833_2_00697283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006B06873_2_006B0687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006AAC9B3_2_006AAC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00693C913_2_00693C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006AD0913_2_006AD091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0069AC953_2_0069AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006A056A3_2_006A056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006A1F6B3_2_006A1F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006A577E3_2_006A577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006AF14D3_2_006AF14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006B13433_2_006B1343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006933453_2_00693345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0069C1583_2_0069C158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00693F5C3_2_00693F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006B292B3_2_006B292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006959233_2_00695923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00696B253_2_00696B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006B0B343_2_006B0B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006923093_2_00692309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006935023_2_00693502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0069251C3_2_0069251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006AFD103_2_006AFD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006955E83_2_006955E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006ABFE83_2_006ABFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0069C5FE3_2_0069C5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006B03F13_2_006B03F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006B25C33_2_006B25C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00696FC43_2_00696FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0069A3DF3_2_0069A3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006A4BAA3_2_006A4BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006A2FA23_2_006A2FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006A9DA13_2_006A9DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006A7BB23_2_006A7BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006AB1B53_2_006AB1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0069BFB63_2_0069BFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0069758F3_2_0069758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006A4D8D3_2_006A4D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00694F8E3_2_00694F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006993843_2_00699384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006AD99A3_2_006AD99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0069FD913_2_0069FD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006B11933_2_006B1193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_006AB3973_2_006AB397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BBCAA84_2_02BBCAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BA441E4_2_02BA441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BB43B34_2_02BB43B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BB90BA4_2_02BB90BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BB98BD4_2_02BB98BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BA5AB24_2_02BA5AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BB44AA4_2_02BB44AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BADAAE4_2_02BADAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BAFEA04_2_02BAFEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BBD6A74_2_02BBD6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BB78A54_2_02BB78A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BBAC9B4_2_02BBAC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BBD0914_2_02BBD091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BA3C914_2_02BA3C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BAAC954_2_02BAAC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BB4E8A4_2_02BB4E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BB748A4_2_02BB748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BACC8D4_2_02BACC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BA72834_2_02BA7283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BC06874_2_02BC0687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BBA8F04_2_02BBA8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BA30F64_2_02BA30F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BBDEF44_2_02BBDEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BBAEEB4_2_02BBAEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BBECE34_2_02BBECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BB0ADE4_2_02BB0ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BB7ED14_2_02BB7ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BC08D14_2_02BC08D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BBCCD44_2_02BBCCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BBBEC94_2_02BBBEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BC1A3C4_2_02BC1A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BBF83F4_2_02BBF83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BA9E224_2_02BA9E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BAD2234_2_02BAD223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BB52204_2_02BB5220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BAEC274_2_02BAEC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BAF41F4_2_02BAF41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BAE21C4_2_02BAE21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BB1C104_2_02BB1C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BA1A0A4_2_02BA1A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BA220A4_2_02BA220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BA8C094_2_02BA8C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BA4C004_2_02BA4C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BA1C764_2_02BA1C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BB406E4_2_02BB406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BA9A574_2_02BA9A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BA26544_2_02BA2654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BAA0484_2_02BAA048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BA20434_2_02BA2043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BBE4414_2_02BBE441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BA2A464_2_02BA2A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BA38454_2_02BA3845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BB7BB24_2_02BB7BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BABFB64_2_02BABFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BBB1B54_2_02BBB1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BB4BAA4_2_02BB4BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BB2FA24_2_02BB2FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BB9DA14_2_02BB9DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BBD99A4_2_02BBD99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BAFD914_2_02BAFD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BBB3974_2_02BBB397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BC11934_2_02BC1193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BA4F8E4_2_02BA4F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BA758F4_2_02BA758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BB4D8D4_2_02BB4D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BA93844_2_02BA9384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BAC5FE4_2_02BAC5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BC03F14_2_02BC03F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BA55E84_2_02BA55E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BBBFE84_2_02BBBFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BAA3DF4_2_02BAA3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BA6FC44_2_02BA6FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BC25C34_2_02BC25C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BC0B344_2_02BC0B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BC292B4_2_02BC292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BA59234_2_02BA5923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BA6B254_2_02BA6B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BA251C4_2_02BA251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BBFD104_2_02BBFD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BA23094_2_02BA2309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BA35024_2_02BA3502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BB577E4_2_02BB577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BB1F6B4_2_02BB1F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BB056A4_2_02BB056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BAC1584_2_02BAC158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BA3F5C4_2_02BA3F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BBF14D4_2_02BBF14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BA33454_2_02BA3345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BC13434_2_02BC1343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032B43B35_2_032B43B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032A441E5_2_032A441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032BCAA85_2_032BCAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032C292B5_2_032C292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032A59235_2_032A5923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032A6B255_2_032A6B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032C0B345_2_032C0B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032A23095_2_032A2309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032A35025_2_032A3502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032A251C5_2_032A251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032BFD105_2_032BFD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032B1F6B5_2_032B1F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032B056A5_2_032B056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032B577E5_2_032B577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032BF14D5_2_032BF14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032A33455_2_032A3345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032C13435_2_032C1343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032AC1585_2_032AC158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032A3F5C5_2_032A3F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032B4BAA5_2_032B4BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032B2FA25_2_032B2FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032B9DA15_2_032B9DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032B7BB25_2_032B7BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032ABFB65_2_032ABFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032BB1B55_2_032BB1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032A4F8E5_2_032A4F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032A758F5_2_032A758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032B4D8D5_2_032B4D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032A93845_2_032A9384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032BD99A5_2_032BD99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032AFD915_2_032AFD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032BB3975_2_032BB397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032C11935_2_032C1193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032A55E85_2_032A55E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032BBFE85_2_032BBFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032AC5FE5_2_032AC5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032C03F15_2_032C03F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032A6FC45_2_032A6FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032C25C35_2_032C25C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032AA3DF5_2_032AA3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032A9E225_2_032A9E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032AD2235_2_032AD223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032B52205_2_032B5220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032AEC275_2_032AEC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032C1A3C5_2_032C1A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032BF83F5_2_032BF83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032A1A0A5_2_032A1A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032A220A5_2_032A220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032A8C095_2_032A8C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_032A4C005_2_032A4C00