Loading ...

Play interactive tourEdit tour

Windows Analysis Report qrb6jVwzoe

Overview

General Information

Sample Name:qrb6jVwzoe (renamed file extension from none to dll)
Analysis ID:528000
MD5:56547488fb182b73f83211903ce2dd30
SHA1:e3c962932fb99e7685ea989356d60afc4045c52f
SHA256:bf0cadbc8a6b28a54eb0db5f2afe582a02d5f1dedb058097abc1d7b43ba7deb0
Tags:32dllexetrojan
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
PE file contains an invalid checksum
PE file contains strange resources
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7156 cmdline: loaddll32.exe "C:\Users\user\Desktop\qrb6jVwzoe.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 4716 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\qrb6jVwzoe.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 580 cmdline: rundll32.exe "C:\Users\user\Desktop\qrb6jVwzoe.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6240 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\qrb6jVwzoe.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5184 cmdline: rundll32.exe C:\Users\user\Desktop\qrb6jVwzoe.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6228 cmdline: rundll32.exe C:\Users\user\Desktop\qrb6jVwzoe.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6416 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mkjhtkxzcnwc\pevpdfyikq.vhc",mHan MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • rundll32.exe (PID: 6376 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mkjhtkxzcnwc\pevpdfyikq.vhc",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 6100 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5896 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6932 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7096 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6320 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.359659135.0000000000FA6000.00000004.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000005.00000002.363179746.0000000000B42000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000005.00000003.359231508.0000000000B46000.00000004.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000008.00000003.494236269.0000000003233000.00000004.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000006.00000003.359880008.0000000000C16000.00000004.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.3.rundll32.exe.3246c20.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              4.2.rundll32.exe.fa6a40.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                8.3.rundll32.exe.3246c20.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  7.2.rundll32.exe.f66ce0.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    8.3.rundll32.exe.3246c20.2.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 17 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Emotet RunDLL32 Process CreationShow sources
                      Source: Process startedAuthor: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mkjhtkxzcnwc\pevpdfyikq.vhc",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mkjhtkxzcnwc\pevpdfyikq.vhc",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mkjhtkxzcnwc\pevpdfyikq.vhc",mHan, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 6416, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mkjhtkxzcnwc\pevpdfyikq.vhc",Control_RunDLL, ProcessId: 6376

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 8.3.rundll32.exe.3246c20.1.raw.unpackMalware Configuration Extractor: Emotet {"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}
                      Machine Learning detection for sampleShow sources
                      Source: qrb6jVwzoe.dllJoe Sandbox ML: detected
                      Source: qrb6jVwzoe.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.6:49755 version: TLS 1.2
                      Source: qrb6jVwzoe.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F32188A FindFirstFileExW,3_2_6F32188A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F32188A FindFirstFileExW,4_2_6F32188A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10011A80 FindFirstFileW,8_2_10011A80

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.6:49755 -> 51.178.61.60:443
                      Source: TrafficSnort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.6:49756 -> 168.197.250.14:80
                      Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.6:49757 -> 45.79.33.48:8080
                      Source: TrafficSnort IDS: 2404322 ET CNC Feodo Tracker Reported CnC Server TCP group 12 192.168.2.6:49760 -> 196.44.98.190:8080
                      Source: TrafficSnort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.6:49783 -> 177.72.80.14:7080
                      Source: TrafficSnort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 177.72.80.14:7080 -> 192.168.2.6:49783
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 196.44.98.190 144Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.79.33.48 144Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 168.197.250.14 80Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 51.178.61.60 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 177.72.80.14 168Jump to behavior
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 51.178.61.60:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 45.79.33.48:8080
                      Source: Malware configuration extractorIPs: 196.44.98.190:8080
                      Source: Malware configuration extractorIPs: 177.72.80.14:7080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.169.10:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: EcobandGH EcobandGH
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: GET /BCcDzRknSjFPjuOxHLZvVqcO HTTP/1.1Cookie: QMpLEjjFd=c4U8GYO3gBQ2KCd18VNTs9PT8hpdVNqj4zLzgZE1fFI9x0SPtcMipNFNESf8CsAVem5JWMqQ8ndGaJ1DdBO6E5KdfcNjE1YapLmU92FtgBNQbP19LEuO+ya4SHRYKzrZSycrfZTK0DPGNQZNeJ6j1cioezM7bzeTQ/thQoUAbkNL0mgdSgnH4s5+Omur7YLxQg0NgsR41aDxprzsQzXD6m2hLQv3kzo0+dQAtysUr4iTrR26F9NeGzF2zkgnUERUJbSQGPdy5NBtzT8NJyvrR6k15te4INQfbmWwqTBzGbEzsQ==Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 196.44.98.190 196.44.98.190
                      Source: global trafficTCP traffic: 192.168.2.6:49757 -> 45.79.33.48:8080
                      Source: global trafficTCP traffic: 192.168.2.6:49760 -> 196.44.98.190:8080
                      Source: global trafficTCP traffic: 192.168.2.6:49783 -> 177.72.80.14:7080
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 24 Nov 2021 15:49:10 GMTContent-Type: text/htmlContent-Length: 162Connection: close
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 168.197.250.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 168.197.250.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 168.197.250.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.79.33.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.79.33.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.79.33.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.44.98.190
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.44.98.190
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.44.98.190
                      Source: unknownTCP traffic detected without corresponding DNS query: 177.72.80.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 177.72.80.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 177.72.80.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 177.72.80.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 177.72.80.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 177.72.80.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 177.72.80.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 177.72.80.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 177.72.80.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 177.72.80.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 177.72.80.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 177.72.80.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 177.72.80.14
                      Source: svchost.exe, 00000010.00000003.472140574.00000283AB37D000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z||.||797d024d-8c74-4faa-b6a6-08435801478b||1152921505694213184||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 00000010.00000003.472140574.00000283AB37D000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z||.||797d024d-8c74-4faa-b6a6-08435801478b||1152921505694213184||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 00000010.00000002.488148840.00000283AB300000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.859918261.0000015DEBE88000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000010.00000002.488035561.00000283AAAEF000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.859918261.0000015DEBE88000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: 77EC63BDA74BD0D0E0426DC8F80085060.8.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: svchost.exe, 00000010.00000003.468408043.00000283AB37D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.468696929.00000283AB802000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.469811621.00000283AB374000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 00000015.00000003.859010868.0000015DE68AA000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.859621352.0000015DE68AC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xml
                      Source: svchost.exe, 00000015.00000003.859010868.0000015DE68AA000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.859621352.0000015DE68AC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anon
                      Source: svchost.exe, 00000015.00000003.859010868.0000015DE68AA000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.859621352.0000015DE68AC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration
                      Source: svchost.exe, 00000010.00000003.469811621.00000283AB374000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000010.00000003.469811621.00000283AB374000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000010.00000003.469811621.00000283AB374000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000010.00000003.469550789.00000283AB39E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.469585503.00000283AB3B3000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10021027 InternetReadFile,8_2_10021027
                      Source: global trafficHTTP traffic detected: GET /BCcDzRknSjFPjuOxHLZvVqcO HTTP/1.1Cookie: QMpLEjjFd=c4U8GYO3gBQ2KCd18VNTs9PT8hpdVNqj4zLzgZE1fFI9x0SPtcMipNFNESf8CsAVem5JWMqQ8ndGaJ1DdBO6E5KdfcNjE1YapLmU92FtgBNQbP19LEuO+ya4SHRYKzrZSycrfZTK0DPGNQZNeJ6j1cioezM7bzeTQ/thQoUAbkNL0mgdSgnH4s5+Omur7YLxQg0NgsR41aDxprzsQzXD6m2hLQv3kzo0+dQAtysUr4iTrR26F9NeGzF2zkgnUERUJbSQGPdy5NBtzT8NJyvrR6k15te4INQfbmWwqTBzGbEzsQ==Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.6:49755 version: TLS 1.2

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 8.3.rundll32.exe.3246c20.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.fa6a40.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.3.rundll32.exe.3246c20.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.f66ce0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.3.rundll32.exe.3246c20.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.3.rundll32.exe.3246c20.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.b46c68.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.b46c68.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.c16c78.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.f66ce0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.fa6a40.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.3.rundll32.exe.3246c20.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.c16c78.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.b46c68.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.3246c20.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.3246c20.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.3.rundll32.exe.3246c20.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.c16c78.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.c16c78.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.b46c68.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.b46c68.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.b46c68.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.359659135.0000000000FA6000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.363179746.0000000000B42000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.359231508.0000000000B46000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000003.494236269.0000000003233000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.359880008.0000000000C16000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.359009454.0000000000B46000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000003.431973841.0000000003233000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.365562801.0000000000F66000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000003.382797966.0000000003233000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.877277824.0000000003233000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.359302351.0000000000C16000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.361400733.0000000000BDA000.00000004.00000020.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: qrb6jVwzoe.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Mkjhtkxzcnwc\pevpdfyikq.vhc:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Mkjhtkxzcnwc\Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F31BB303_2_6F31BB30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F319F203_2_6F319F20
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F31B2B03_2_6F31B2B0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F3265643_2_6F326564
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F31B0803_2_6F31B080
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F31BB304_2_6F31BB30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F319F204_2_6F319F20
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F31B2B04_2_6F31B2B0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F3265644_2_6F326564
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F31B0804_2_6F31B080
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000441E4_2_1000441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001CAA84_2_1001CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100143B34_2_100143B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10004C004_2_10004C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10008C094_2_10008C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10011C104_2_10011C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000F41F4_2_1000F41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000EC274_2_1000EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001F83F4_2_1001F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001E4414_2_1001E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100020434_2_10002043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100038454_2_10003845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000A0484_2_1000A048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001406E4_2_1001406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10001C764_2_10001C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001748A4_2_1001748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000CC8D4_2_1000CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001D0914_2_1001D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10003C914_2_10003C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000AC954_2_1000AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001AC9B4_2_1001AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100178A54_2_100178A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100144AA4_2_100144AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100190BA4_2_100190BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100198BD4_2_100198BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100208D14_2_100208D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001CCD44_2_1001CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001ECE34_2_1001ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001A8F04_2_1001A8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100030F64_2_100030F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100035024_2_10003502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001FD104_2_1001FD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000251C4_2_1000251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100059234_2_10005923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002292B4_2_1002292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001F14D4_2_1001F14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000C1584_2_1000C158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001056A4_2_1001056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10014D8D4_2_10014D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000758F4_2_1000758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000FD914_2_1000FD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100211934_2_10021193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001D99A4_2_1001D99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10019DA14_2_10019DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001B1B54_2_1001B1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100225C34_2_100225C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100055E84_2_100055E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000C5FE4_2_1000C5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10001A0A4_2_10001A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000220A4_2_1000220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000E21C4_2_1000E21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100152204_2_10015220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10009E224_2_10009E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000D2234_2_1000D223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10021A3C4_2_10021A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10002A464_2_10002A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100026544_2_10002654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10009A574_2_10009A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100072834_2_10007283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100206874_2_10020687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10014E8A4_2_10014E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000FEA04_2_1000FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001D6A74_2_1001D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000DAAE4_2_1000DAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10005AB24_2_10005AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001BEC94_2_1001BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10017ED14_2_10017ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10010ADE4_2_10010ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001AEEB4_2_1001AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001DEF44_2_1001DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100023094_2_10002309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10006B254_2_10006B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10020B344_2_10020B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100213434_2_10021343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100033454_2_10003345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10003F5C4_2_10003F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10011F6B4_2_10011F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001577E4_2_1001577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100093844_2_10009384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10004F8E4_2_10004F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001B3974_2_1001B397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10012FA24_2_10012FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10014BAA4_2_10014BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10017BB24_2_10017BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000BFB64_2_1000BFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10006FC44_2_10006FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000A3DF4_2_1000A3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001BFE84_2_1001BFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100203F14_2_100203F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10004C005_2_10004C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1000441E5_2_1000441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1000F41F5_2_1000F41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100020435_2_10002043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100038455_2_10003845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10002A465_2_10002A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1001CAA85_2_1001CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100190BA5_2_100190BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100208D15_2_100208D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1001ECE35_2_1001ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1001AEEB5_2_1001AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1001DEF45_2_1001DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1001056A5_2_1001056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100093845_2_10009384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1001D99A5_2_1001D99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10017BB25_2_10017BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10008C095_2_10008C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10001A0A5_2_10001A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1000220A5_2_1000220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10011C105_2_10011C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1000E21C5_2_1000E21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100152205_2_10015220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10009E225_2_10009E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1000D2235_2_1000D223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1000EC275_2_1000EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1001F83F5_2_1001F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10021A3C5_2_10021A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1001E4415_2_1001E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1000A0485_2_1000A048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100026545_2_10002654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10009A575_2_10009A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1001406E5_2_1001406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10001C765_2_10001C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100072835_2_10007283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100206875_2_10020687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10014E8A5_2_10014E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1001748A5_2_1001748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1000CC8D5_2_1000CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1001D0915_2_1001D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10003C915_2_10003C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1000AC955_2_1000AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1001AC9B5_2_1001AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1000FEA05_2_1000FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100178A55_2_100178A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1001D6A75_2_1001D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100144AA5_2_100144AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1000DAAE5_2_1000DAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10005AB25_2_10005AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100198BD5_2_100198BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1001BEC95_2_1001BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10017ED15_2_10017ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1001CCD45_2_1001CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10010ADE5_2_10010ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1001A8F05_2_1001A8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100030F65_2_100030F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100035025_2_10003502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100023095_2_10002309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1001FD105_2_1001FD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1000251C5_2_1000251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100059235_2_10005923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10006B255_2_10006B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1002292B5_2_1002292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10020B345_2_10020B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100213435_2_10021343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100033455_2_10003345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1001F14D5_2_1001F14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1000C1585_2_1000C158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10003F5C5_2_10003F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10011F6B5_2_10011F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1001577E5_2_1001577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10014D8D5_2_10014D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10004F8E5_2_10004F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1000758F5_2_1000758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1000FD915_2_1000FD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100211935_2_10021193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1001B3975_2_1001B397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10019DA15_2_10019DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10012FA25_2_10012FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10014BAA5_2_10014BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100143B35_2_100143B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1001B1B55_2_1001B1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1000BFB65_2_1000BFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100225C35_2_100225C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10006FC45_2_10006FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1000A3DF5_2_1000A3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100055E85_2_100055E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1001BFE85_2_1001BFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100203F15_2_100203F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1000C5FE5_2_1000C5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10004C006_2_10004C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1000441E6_2_1000441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_100038456_2_10003845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10002A466_2_10002A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_100208D16_2_100208D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1001ECE36_2_1001ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1001AEEB6_2_1001AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1001DEF46_2_1001DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_100093846_2_10009384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1001D99A6_2_1001D99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10017BB26_2_10017BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10008C096_2_10008C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10001A0A6_2_10001A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1000220A6_2_1000220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10011C106_2_10011C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1000E21C6_2_1000E21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1000F41F6_2_1000F41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_100152206_2_10015220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10009E226_2_10009E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1000D2236_2_1000D223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1000EC276_2_1000EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1001F83F6_2_1001F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10021A3C6_2_10021A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1001E4416_2_1001E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_100020436_2_10002043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1000A0486_2_1000A048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_100026546_2_10002654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10009A576_2_10009A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1001406E6_2_1001406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10001C766_2_10001C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_100072836_2_10007283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_100206876_2_10020687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10014E8A6_2_10014E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1001748A6_2_1001748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1000CC8D6_2_1000CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1001D0916_2_1001D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10003C916_2_10003C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1000AC956_2_1000AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1001AC9B6_2_1001AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1000FEA06_2_1000FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_100178A56_2_100178A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1001D6A76_2_1001D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1001CAA86_2_1001CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_100144AA6_2_100144AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1000DAAE6_2_1000DAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10005AB26_2_10005AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_100190BA6_2_100190BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_100198BD6_2_100198BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1001BEC96_2_1001BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10017ED16_2_10017ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1001CCD46_2_1001CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10010ADE6_2_10010ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1001A8F06_2_1001A8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_100030F66_2_100030F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_100035026_2_10003502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_100023096_2_10002309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1001FD106_2_1001FD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1000251C6_2_1000251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_100059236_2_10005923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10006B256_2_10006B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1002292B6_2_1002292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10020B346_2_10020B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_100213436_2_10021343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_100033456_2_10003345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1001F14D6_2_1001F14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1000C1586_2_1000C158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10003F5C6_2_10003F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10011F6B6_2_10011F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1001056A6_2_1001056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1001577E6_2_1001577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10014D8D6_2_10014D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10004F8E6_2_10004F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1000758F6_2_1000758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1000FD916_2_1000FD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_100211936_2_10021193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1001B3976_2_1001B397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10019DA16_2_10019DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10012FA26_2_10012FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10014BAA6_2_10014BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_100143B36_2_100143B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1001B1B56_2_1001B1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1000BFB66_2_1000BFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_100225C36_2_100225C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10006FC46_2_10006FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1000A3DF6_2_1000A3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_100055E86_2_100055E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1001BFE86_2_1001BFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_100203F16_2_100203F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1000C5FE6_2_1000C5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000441E7_2_1000441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001CAA87_2_1001CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100143B37_2_100143B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10004C007_2_10004C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10008C097_2_10008C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10001A0A7_2_10001A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000220A7_2_1000220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10011C107_2_10011C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000E21C7_2_1000E21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000F41F7_2_1000F41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100152207_2_10015220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10009E227_2_10009E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000D2237_2_1000D223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000EC277_2_1000EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001F83F7_2_1001F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10021A3C7_2_10021A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001E4417_2_1001E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100020437_2_10002043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100038457_2_10003845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10002A467_2_10002A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000A0487_2_1000A048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100026547_2_10002654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10009A577_2_10009A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001406E7_2_1001406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10001C767_2_10001C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100072837_2_10007283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100206877_2_10020687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10014E8A7_2_10014E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001748A7_2_1001748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000CC8D7_2_1000CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001D0917_2_1001D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10003C917_2_10003C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000AC957_2_1000AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001AC9B7_2_1001AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000FEA07_2_1000FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100178A57_2_100178A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001D6A77_2_1001D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100144AA7_2_100144AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000DAAE7_2_1000DAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10005AB27_2_10005AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100190BA7_2_100190BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100198BD7_2_100198BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001BEC97_2_1001BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10017ED17_2_10017ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100208D17_2_100208D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001CCD47_2_1001CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10010ADE7_2_10010ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001ECE37_2_1001ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001AEEB7_2_1001AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001A8F07_2_1001A8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001DEF47_2_1001DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100030F67_2_100030F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100035027_2_10003502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100023097_2_10002309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001FD107_2_1001FD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000251C7_2_1000251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100059237_2_10005923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10006B257_2_10006B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1002292B7_2_1002292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10020B347_2_10020B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100213437_2_10021343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100033457_2_10003345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001F14D7_2_1001F14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C1587_2_1000C158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10003F5C7_2_10003F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10011F6B7_2_10011F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001056A7_2_1001056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001577E7_2_1001577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100093847_2_10009384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10014D8D7_2_10014D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10004F8E7_2_10004F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000758F7_2_1000758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000FD917_2_1000FD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100211937_2_10021193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001B3977_2_1001B397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001D99A7_2_1001D99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10019DA17_2_10019DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10012FA27_2_10012FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10014BAA7_2_10014BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10017BB27_2_10017BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001B1B57_2_1001B1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000BFB67_2_1000BFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100225C37_2_100225C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10006FC47_2_10006FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000A3DF7_2_1000A3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100055E87_2_100055E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001BFE87_2_1001BFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100203F17_2_100203F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C5FE7_2_1000C5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1000220A8_2_1000220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1000441E8_2_1000441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100152208_2_10015220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1000EC278_2_1000EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1001F83F8_2_1001F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100020438_2_10002043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100038458_2_10003845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1001748A8_2_1001748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1000AC958_2_1000AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100178A58_2_100178A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100144AA8_2_100144AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10005AB28_2_10005AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10017ED1