Loading ...

Play interactive tourEdit tour

Windows Analysis Report cRC6TZG6Wx

Overview

General Information

Sample Name:cRC6TZG6Wx (renamed file extension from none to dll)
Analysis ID:528001
MD5:8f6552b136a4dd8719c898f90df1ba44
SHA1:fea5b1d5e44dc58be42e472254e9b62b5caec532
SHA256:03995882170eb6ebacaa47f77fc0c2e8fd78e17ab5427fbe3c70b2f91f46e44d
Tags:32dllexetrojan
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
PE file contains strange resources
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • svchost.exe (PID: 7156 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • loaddll32.exe (PID: 1464 cmdline: loaddll32.exe "C:\Users\user\Desktop\cRC6TZG6Wx.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 6412 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\cRC6TZG6Wx.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4516 cmdline: rundll32.exe "C:\Users\user\Desktop\cRC6TZG6Wx.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 5000 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\cRC6TZG6Wx.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6384 cmdline: rundll32.exe C:\Users\user\Desktop\cRC6TZG6Wx.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 5776 cmdline: rundll32.exe C:\Users\user\Desktop\cRC6TZG6Wx.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6620 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Zrrbzia\fotuyl.lzj",HSFp MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • rundll32.exe (PID: 4720 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Zrrbzia\fotuyl.lzj",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • SgrmBroker.exe (PID: 6456 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6444 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5528 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 2528 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 2148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 5336 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1952 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2464 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6284 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000003.360457905.0000000003396000.00000004.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    0000000B.00000002.290674131.0000000000576000.00000004.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000008.00000002.289238760.0000000000D86000.00000004.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        0000000E.00000002.809828703.0000000003396000.00000004.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          0000000B.00000003.289903082.0000000000576000.00000004.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            11.3.rundll32.exe.576c48.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              11.2.rundll32.exe.576c48.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                8.2.rundll32.exe.d86b70.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  10.2.rundll32.exe.9c77f0.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    11.3.rundll32.exe.576c48.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 12 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Emotet RunDLL32 Process CreationShow sources
                      Source: Process startedAuthor: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Zrrbzia\fotuyl.lzj",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Zrrbzia\fotuyl.lzj",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Zrrbzia\fotuyl.lzj",HSFp, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 6620, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Zrrbzia\fotuyl.lzj",Control_RunDLL, ProcessId: 4720

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 14.2.rundll32.exe.33a6b88.0.raw.unpackMalware Configuration Extractor: Emotet {"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: cRC6TZG6Wx.dllVirustotal: Detection: 18%Perma Link
                      Source: cRC6TZG6Wx.dllReversingLabs: Detection: 17%
                      Machine Learning detection for sampleShow sources
                      Source: cRC6TZG6Wx.dllJoe Sandbox ML: detected
                      Source: cRC6TZG6Wx.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.3:49744 version: TLS 1.2
                      Source: cRC6TZG6Wx.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_6EA4188A FindFirstFileExW,7_2_6EA4188A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6EA4188A FindFirstFileExW,8_2_6EA4188A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_10011A80 FindFirstFileW,14_2_10011A80

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.3:49744 -> 51.178.61.60:443
                      Source: TrafficSnort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.3:49745 -> 168.197.250.14:80
                      Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.3:49746 -> 45.79.33.48:8080
                      Source: TrafficSnort IDS: 2404322 ET CNC Feodo Tracker Reported CnC Server TCP group 12 192.168.2.3:49749 -> 196.44.98.190:8080
                      Source: TrafficSnort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.3:49753 -> 177.72.80.14:7080
                      Source: TrafficSnort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 177.72.80.14:7080 -> 192.168.2.3:49753
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 196.44.98.190 144Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.79.33.48 144Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 168.197.250.14 80Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 51.178.61.60 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 177.72.80.14 168Jump to behavior
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 51.178.61.60:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 45.79.33.48:8080
                      Source: Malware configuration extractorIPs: 196.44.98.190:8080
                      Source: Malware configuration extractorIPs: 177.72.80.14:7080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.169.10:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: EcobandGH EcobandGH
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: GET /cOCoCBOnwtlaPwqgYJsibWlqGyXElLKsrFlsKtesNMVjGBKbplkpiwohTqB HTTP/1.1Cookie: CkaS=ZjwItdmT1ECYLtgJezxI3JoumM8yxrkDUD9XymD7kyc8EbFQVqQJDR+HcOYSYNuqm3GMHu9tyWocT2ebwQjCT6CFKOh4yFKGfmNQGEMjfJcGVJjfSjxi61uxl8IdZPCLFGO75XaQUz9hc2k46HlLfbLprvARhND47YDAUKst2IWTLUjdHo81K4H5Zdm6jP/AHUWKX74rhhb7vRaxi+yY5yVTZPMAbash8y0fiFtequ8CyFQdGqZu5JTKVCv/0hHiIAyjkgSlIkQiHost: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 196.44.98.190 196.44.98.190
                      Source: global trafficTCP traffic: 192.168.2.3:49746 -> 45.79.33.48:8080
                      Source: global trafficTCP traffic: 192.168.2.3:49749 -> 196.44.98.190:8080
                      Source: global trafficTCP traffic: 192.168.2.3:49753 -> 177.72.80.14:7080
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 24 Nov 2021 15:50:35 GMTContent-Type: text/htmlContent-Length: 162Connection: close
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 168.197.250.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 168.197.250.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 168.197.250.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.79.33.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.79.33.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.79.33.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.44.98.190
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.44.98.190
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.44.98.190
                      Source: unknownTCP traffic detected without corresponding DNS query: 177.72.80.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 177.72.80.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 177.72.80.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 177.72.80.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 177.72.80.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 177.72.80.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 177.72.80.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 177.72.80.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 177.72.80.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 177.72.80.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 177.72.80.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 177.72.80.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 177.72.80.14
                      Source: svchost.exe, 00000017.00000003.434121757.000002032F5A0000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z||.||797d024d-8c74-4faa-b6a6-08435801478b||1152921505694213184||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 00000017.00000003.434121757.000002032F5A0000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z||.||797d024d-8c74-4faa-b6a6-08435801478b||1152921505694213184||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 00000017.00000002.451268735.000002032F500000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000017.00000002.451129288.000002032ECE9000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: 77EC63BDA74BD0D0E0426DC8F80085060.14.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: svchost.exe, 00000017.00000002.451350633.000002032F550000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430213451.000002032F573000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430181359.000002032F5B5000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430163444.000002032F5B4000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430251345.000002032F5D3000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430226197.000002032F584000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 00000000.00000002.305883375.0000025239A13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 00000000.00000003.305606531.0000025239A61000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 00000000.00000003.305622827.0000025239A5A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000000.00000002.305987115.0000025239A5C000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305622827.0000025239A5A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 00000000.00000003.305606531.0000025239A61000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 00000000.00000002.305959174.0000025239A3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 00000000.00000002.305987115.0000025239A5C000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305622827.0000025239A5A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 00000000.00000003.305606531.0000025239A61000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 00000000.00000002.305978867.0000025239A4E000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305596745.0000025239A49000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 00000000.00000002.305987115.0000025239A5C000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305622827.0000025239A5A000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 00000000.00000003.305606531.0000025239A61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 00000000.00000002.305959174.0000025239A3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 00000000.00000003.305606531.0000025239A61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 00000000.00000003.305606531.0000025239A61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 00000000.00000003.305606531.0000025239A61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 00000000.00000003.305637691.0000025239A40000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305655077.0000025239A41000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305965440.0000025239A42000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 00000000.00000003.305637691.0000025239A40000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305655077.0000025239A41000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305965440.0000025239A42000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 00000000.00000003.305606531.0000025239A61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 00000000.00000002.305987115.0000025239A5C000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305637691.0000025239A40000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305622827.0000025239A5A000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 00000017.00000002.451350633.000002032F550000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430213451.000002032F573000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430181359.000002032F5B5000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430163444.000002032F5B4000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430251345.000002032F5D3000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430226197.000002032F584000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000000.00000003.305622827.0000025239A5A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 00000000.00000003.305622827.0000025239A5A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 00000000.00000002.305987115.0000025239A5C000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305622827.0000025239A5A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 00000000.00000003.305596745.0000025239A49000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 00000000.00000003.305606531.0000025239A61000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 00000000.00000002.305959174.0000025239A3D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000000.00000003.283882985.0000025239A31000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 00000000.00000002.305959174.0000025239A3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 00000000.00000002.305883375.0000025239A13000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305959174.0000025239A3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 00000000.00000003.283882985.0000025239A31000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 00000000.00000003.305649382.0000025239A45000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305637691.0000025239A40000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 00000000.00000003.305637691.0000025239A40000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 00000000.00000002.305952891.0000025239A3A000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.283882985.0000025239A31000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 00000000.00000002.305978867.0000025239A4E000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305596745.0000025239A49000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: svchost.exe, 00000017.00000002.451350633.000002032F550000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430213451.000002032F573000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430181359.000002032F5B5000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430163444.000002032F5B4000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430251345.000002032F5D3000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430226197.000002032F584000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000017.00000002.451350633.000002032F550000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430213451.000002032F573000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430181359.000002032F5B5000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430163444.000002032F5B4000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430251345.000002032F5D3000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.430226197.000002032F584000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000017.00000003.431490413.000002032F5C6000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.431504169.000002032F5C6000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.431535096.000002032F5AF000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.431519298.000002032F58E000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.431554045.000002032FA02000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_10021027 InternetReadFile,14_2_10021027
                      Source: global trafficHTTP traffic detected: GET /cOCoCBOnwtlaPwqgYJsibWlqGyXElLKsrFlsKtesNMVjGBKbplkpiwohTqB HTTP/1.1Cookie: CkaS=ZjwItdmT1ECYLtgJezxI3JoumM8yxrkDUD9XymD7kyc8EbFQVqQJDR+HcOYSYNuqm3GMHu9tyWocT2ebwQjCT6CFKOh4yFKGfmNQGEMjfJcGVJjfSjxi61uxl8IdZPCLFGO75XaQUz9hc2k46HlLfbLprvARhND47YDAUKst2IWTLUjdHo81K4H5Zdm6jP/AHUWKX74rhhb7vRaxi+yY5yVTZPMAbash8y0fiFtequ8CyFQdGqZu5JTKVCv/0hHiIAyjkgSlIkQiHost: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.3:49744 version: TLS 1.2
                      Source: loaddll32.exe, 00000001.00000002.293245588.0000000000F6B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 11.3.rundll32.exe.576c48.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.576c48.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.d86b70.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.9c77f0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.rundll32.exe.576c48.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.31d6b60.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.31d6b60.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.d86b70.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.33a6b88.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.9c77f0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.576c48.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.rundll32.exe.33a6b88.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.33a6b88.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.rundll32.exe.33a6b88.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.rundll32.exe.33a6b88.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.rundll32.exe.9c77f0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.rundll32.exe.33a6b88.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000E.00000003.360457905.0000000003396000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.290674131.0000000000576000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.289238760.0000000000D86000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.809828703.0000000003396000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.289903082.0000000000576000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.293376232.00000000009BF000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.296343256.00000000031D6000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.289844390.0000000000576000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.289024016.00000000009C7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.413105360.0000000003396000.00000004.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: cRC6TZG6Wx.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Zrrbzia\fotuyl.lzj:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Zrrbzia\Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_6EA3B2B07_2_6EA3B2B0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_6EA39F207_2_6EA39F20
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_6EA3BB307_2_6EA3BB30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_6EA3B0807_2_6EA3B080
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_6EA465647_2_6EA46564
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6EA3BB308_2_6EA3BB30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6EA3B2B08_2_6EA3B2B0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6EA39F208_2_6EA39F20
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6EA3B0808_2_6EA3B080
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6EA465648_2_6EA46564
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1000441E8_2_1000441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1001CAA88_2_1001CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100143B38_2_100143B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10004C008_2_10004C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10008C098_2_10008C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10011C108_2_10011C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1000F41F8_2_1000F41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1000EC278_2_1000EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1001F83F8_2_1001F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1001E4418_2_1001E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100020438_2_10002043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100038458_2_10003845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1000A0488_2_1000A048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1001406E8_2_1001406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10001C768_2_10001C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1001748A8_2_1001748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1000CC8D8_2_1000CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1001D0918_2_1001D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10003C918_2_10003C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1000AC958_2_1000AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1001AC9B8_2_1001AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100178A58_2_100178A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100144AA8_2_100144AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100190BA8_2_100190BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100198BD8_2_100198BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100208D18_2_100208D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1001CCD48_2_1001CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1001ECE38_2_1001ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1001A8F08_2_1001A8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100030F68_2_100030F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100035028_2_10003502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1001FD108_2_1001FD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1000251C8_2_1000251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100059238_2_10005923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1002292B8_2_1002292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1001F14D8_2_1001F14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1000C1588_2_1000C158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1001056A8_2_1001056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10014D8D8_2_10014D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1000758F8_2_1000758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1000FD918_2_1000FD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100211938_2_10021193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1001D99A8_2_1001D99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10019DA18_2_10019DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1001B1B58_2_1001B1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100225C38_2_100225C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1000C5FE8_2_1000C5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10001A0A8_2_10001A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1000220A8_2_1000220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1000E21C8_2_1000E21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100152208_2_10015220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10009E228_2_10009E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1000D2238_2_1000D223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10021A3C8_2_10021A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10002A468_2_10002A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100026548_2_10002654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10009A578_2_10009A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100072838_2_10007283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100206878_2_10020687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10014E8A8_2_10014E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1000FEA08_2_1000FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1001D6A78_2_1001D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10005AB28_2_10005AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1001BEC98_2_1001BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10017ED18_2_10017ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10010ADE8_2_10010ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1001AEEB8_2_1001AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1001DEF48_2_1001DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100023098_2_10002309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10006B258_2_10006B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10020B348_2_10020B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100213438_2_10021343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100033458_2_10003345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10003F5C8_2_10003F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10011F6B8_2_10011F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1001577E8_2_1001577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100093848_2_10009384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10004F8E8_2_10004F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1001B3978_2_1001B397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10012FA28_2_10012FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10014BAA8_2_10014BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10017BB28_2_10017BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1000BFB68_2_1000BFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10006FC48_2_10006FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1000A3DF8_2_1000A3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1001BFE88_2_1001BFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100203F18_2_100203F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_10004C0010_2_10004C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1000441E10_2_1000441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1000F41F10_2_1000F41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1000204310_2_10002043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1000384510_2_10003845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_10002A4610_2_10002A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1001CAA810_2_1001CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_100190BA10_2_100190BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_100208D110_2_100208D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1001ECE310_2_1001ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1001AEEB10_2_1001AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1001DEF410_2_1001DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1001056A10_2_1001056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1000938410_2_10009384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1001D99A10_2_1001D99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_10017BB210_2_10017BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_10008C0910_2_10008C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_10001A0A10_2_10001A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1000220A10_2_1000220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_10011C1010_2_10011C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1000E21C10_2_1000E21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1001522010_2_10015220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_10009E2210_2_10009E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1000D22310_2_1000D223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1000EC2710_2_1000EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1001F83F10_2_1001F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_10021A3C10_2_10021A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1001E44110_2_1001E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1000A04810_2_1000A048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1000265410_2_10002654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_10009A5710_2_10009A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1001406E10_2_1001406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_10001C7610_2_10001C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1000728310_2_10007283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1002068710_2_10020687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_10014E8A10_2_10014E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1001748A10_2_1001748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1000CC8D10_2_1000CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1001D09110_2_1001D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_10003C9110_2_10003C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1000AC9510_2_1000AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1001AC9B10_2_1001AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1000FEA010_2_1000FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_100178A510_2_100178A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1001D6A710_2_1001D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_100144AA10_2_100144AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1000DAAE10_2_1000DAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_10005AB210_2_10005AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_100198BD10_2_100198BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1001BEC910_2_1001BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_10017ED110_2_10017ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1001CCD410_2_1001CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_10010ADE10_2_10010ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1001A8F010_2_1001A8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_100030F610_2_100030F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1000350210_2_10003502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1000230910_2_10002309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1001FD1010_2_1001FD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1000251C10_2_1000251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1000592310_2_10005923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_10006B2510_2_10006B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1002292B10_2_1002292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_10020B3410_2_10020B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1002134310_2_10021343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1000334510_2_10003345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1001F14D10_2_1001F14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_1000C15810_2_1000C158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_10003F5C10_2_10003F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_10011F6B10_2_10011F6B<