Loading ...

Play interactive tourEdit tour

Windows Analysis Report C1Q17Dg4RT

Overview

General Information

Sample Name:C1Q17Dg4RT (renamed file extension from none to dll)
Analysis ID:528610
MD5:f83706e4fe73485bf327804499cc6fd8
SHA1:05ae9590fed2006a2f1e21fe764991cf5c583e3a
SHA256:4f21d684498a02055ede67830213531c009f720f90759cc9dd448fd5ee7efda8
Tags:32dllexetrojan
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Multi AV Scanner detection for domain / URL
Machine Learning detection for sample
Sigma detected: Suspicious Svchost Process
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Program does not show much activity (idle)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
PE file contains an invalid checksum
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Potential key logger detected (key state polling based)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7028 cmdline: loaddll32.exe "C:\Users\user\Desktop\C1Q17Dg4RT.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 7040 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\C1Q17Dg4RT.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 7084 cmdline: rundll32.exe "C:\Users\user\Desktop\C1Q17Dg4RT.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 7140 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\C1Q17Dg4RT.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7072 cmdline: rundll32.exe C:\Users\user\Desktop\C1Q17Dg4RT.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 3840 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lvlnfylhimqtye\jmzjbgkmzepuh.rrn",bodHOobbf MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 5184 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Lvlnfylhimqtye\jmzjbgkmzepuh.rrn",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • svchost.exe (PID: 3840 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6516 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5904 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6780 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.1188240103.0000000000C50000.00000040.00000010.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000003.00000002.668464458.0000000004B00000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000007.00000002.671239557.0000000004590000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000003.00000002.668026520.0000000004490000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000008.00000002.1189625609.00000000052C0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.rundll32.exe.4490000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              3.2.rundll32.exe.49f0000.2.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                3.2.rundll32.exe.4f30000.10.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  8.2.rundll32.exe.5180000.8.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    8.2.rundll32.exe.51e0000.10.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 29 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Emotet RunDLL32 Process CreationShow sources
                      Source: Process startedAuthor: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Lvlnfylhimqtye\jmzjbgkmzepuh.rrn",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Lvlnfylhimqtye\jmzjbgkmzepuh.rrn",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lvlnfylhimqtye\jmzjbgkmzepuh.rrn",bodHOobbf, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 3840, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Lvlnfylhimqtye\jmzjbgkmzepuh.rrn",Control_RunDLL, ProcessId: 5184
                      Sigma detected: Suspicious Svchost ProcessShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\C1Q17Dg4RT.dll,Control_RunDLL, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 7072, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p, ProcessId: 3840

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 3.2.rundll32.exe.49f0000.2.raw.unpackMalware Configuration Extractor: Emotet {"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: C1Q17Dg4RT.dllVirustotal: Detection: 18%Perma Link
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: https://51.178.61.60/Virustotal: Detection: 9%Perma Link
                      Machine Learning detection for sampleShow sources
                      Source: C1Q17Dg4RT.dllJoe Sandbox ML: detected
                      Source: C1Q17Dg4RT.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.4:49761 version: TLS 1.2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100331CA __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,3_2_100331CA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02F81A80 FindFirstFileW,8_2_02F81A80

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.4:49761 -> 51.178.61.60:443
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 51.178.61.60 187Jump to behavior
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 51.178.61.60:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 45.79.33.48:8080
                      Source: Malware configuration extractorIPs: 196.44.98.190:8080
                      Source: Malware configuration extractorIPs: 177.72.80.14:7080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.169.10:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: EcobandGH EcobandGH
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: GET /VtLzTEhqBTrfUHTzlEYylqfrZhDUxRgnnElbomFRYYtiefwTHaxoLgoZgK HTTP/1.1Cookie: DEYHAnpMtwYR=Z/mHSE8Ps4h9CG5svP8E5DUq3fG47PNUdJrY42wkoxyiQenMQUJQbdWriNMZorJMCDtgRjTAvS8suqimOhIKWSgvpXEf9q1KLg7Grf7XIvCYf9L3yT8a5oDm5I7ZeTXDVK07LmobxPBykzntJhz8lP5WAy0pMSkIoMrAsnDr2N1CDLgCXjVB8IxHpnM+dRoHgHG2ur7wUIDYdfJr1rucLpBRc+8qtNc4H7AwZ1gAzhUzmZBb/mRztdogLMVpPYonK+a7p7AcqXW/YbxCf+hJA3MdNmKnhgyDZalJYp/BgIa9UJ18Tq1flwOD7G1vW6GLdGw0PA==Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 196.44.98.190 196.44.98.190
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: svchost.exe, 0000000F.00000003.793432336.0000024A32D89000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
                      Source: svchost.exe, 0000000F.00000003.793432336.0000024A32D89000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
                      Source: svchost.exe, 0000000F.00000003.793457632.0000024A32D9A000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.793432336.0000024A32D89000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z||.||797d024d-8c74-4faa-b6a6-08435801478b||1152921505694213184||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 0000000F.00000003.793457632.0000024A32D9A000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.793432336.0000024A32D89000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z||.||797d024d-8c74-4faa-b6a6-08435801478b||1152921505694213184||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: rundll32.exe, rundll32.exe, 00000003.00000002.669501723.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.667031889.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.671390367.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.1190044401.0000000010056000.00000002.00020000.sdmp, C1Q17Dg4RT.dllString found in binary or memory: http://www.yahoo.com equals www.yahoo.com (Yahoo)
                      Source: rundll32.exe, 00000008.00000003.690149511.000000000309D000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000002.1188980640.000000000309D000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.808503596.0000024A32D00000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 0000000F.00000002.808335203.0000024A324F0000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 0000000F.00000003.787256722.0000024A32D6E000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.787271637.0000024A32D90000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.787211230.0000024A33202000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: rundll32.exe, rundll32.exe, 00000003.00000002.669501723.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.667031889.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.671390367.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.1190044401.0000000010056000.00000002.00020000.sdmp, C1Q17Dg4RT.dllString found in binary or memory: http://www.yahoo.com
                      Source: rundll32.exe, 00000008.00000002.1188888017.000000000300A000.00000004.00000020.sdmp, rundll32.exe, 00000008.00000002.1188956891.000000000307A000.00000004.00000020.sdmp, rundll32.exe, 00000008.00000003.690203780.0000000003078000.00000004.00000001.sdmpString found in binary or memory: https://51.178.61.60/
                      Source: rundll32.exe, 00000008.00000002.1188920250.0000000003054000.00000004.00000020.sdmp, rundll32.exe, 00000008.00000003.690203780.0000000003078000.00000004.00000001.sdmpString found in binary or memory: https://51.178.61.60/VtLzTEhqBTrfUHTzlEYylqfrZhDUxRgnnElbomFRYYtiefwTHaxoLgoZgK
                      Source: rundll32.exe, 00000008.00000002.1188956891.000000000307A000.00000004.00000020.sdmp, rundll32.exe, 00000008.00000003.690203780.0000000003078000.00000004.00000001.sdmpString found in binary or memory: https://51.178.61.60/wK=Q
                      Source: svchost.exe, 0000000F.00000003.787256722.0000024A32D6E000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.787271637.0000024A32D90000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.787211230.0000024A33202000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 0000000F.00000003.787256722.0000024A32D6E000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.787271637.0000024A32D90000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.787211230.0000024A33202000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 0000000F.00000003.787256722.0000024A32D6E000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.787271637.0000024A32D90000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.787211230.0000024A33202000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 0000000F.00000003.790409210.0000024A32D7F000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.790449939.0000024A33202000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02F91027 InternetReadFile,8_2_02F91027
                      Source: global trafficHTTP traffic detected: GET /VtLzTEhqBTrfUHTzlEYylqfrZhDUxRgnnElbomFRYYtiefwTHaxoLgoZgK HTTP/1.1Cookie: DEYHAnpMtwYR=Z/mHSE8Ps4h9CG5svP8E5DUq3fG47PNUdJrY42wkoxyiQenMQUJQbdWriNMZorJMCDtgRjTAvS8suqimOhIKWSgvpXEf9q1KLg7Grf7XIvCYf9L3yT8a5oDm5I7ZeTXDVK07LmobxPBykzntJhz8lP5WAy0pMSkIoMrAsnDr2N1CDLgCXjVB8IxHpnM+dRoHgHG2ur7wUIDYdfJr1rucLpBRc+8qtNc4H7AwZ1gAzhUzmZBb/mRztdogLMVpPYonK+a7p7AcqXW/YbxCf+hJA3MdNmKnhgyDZalJYp/BgIa9UJ18Tq1flwOD7G1vW6GLdGw0PA==Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.4:49761 version: TLS 1.2
                      Source: loaddll32.exe, 00000000.00000002.670722877.000000000152B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10013EC9 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,3_2_10013EC9

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 3.2.rundll32.exe.4490000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.49f0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4f30000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5180000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.51e0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4490000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4f30000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4590000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.e00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2f30000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4590000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.53d0000.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2fd0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.c50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.52c0000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4d70000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5180000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.e00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.52c0000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4dd0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4b00000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.49f0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.54e0000.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.54e0000.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2f30000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4f20000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4dd0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.51e0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4f20000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4b00000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4d70000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.53d0000.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2fd0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.c50000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.1188240103.0000000000C50000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.668464458.0000000004B00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.671239557.0000000004590000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.668026520.0000000004490000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1189625609.00000000052C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.668622668.0000000004D70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.668809843.0000000004F30000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1189710896.00000000053D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1189540310.00000000051E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1189457240.0000000005180000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.668701586.0000000004DD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1189341627.0000000004F20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1189919443.00000000054E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.666551586.0000000000E00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1188748854.0000000002F30000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1188860323.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.668354597.00000000049F0000.00000040.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: C1Q17Dg4RT.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Lvlnfylhimqtye\jmzjbgkmzepuh.rrn:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Lvlnfylhimqtye\Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10046A463_2_10046A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10010E3B3_2_10010E3B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003FFA23_2_1003FFA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044C4C003_2_044C4C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044C441E3_2_044C441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044CF41F3_2_044CF41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044DECE33_2_044DECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044D056A3_2_044D056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044DAEEB3_2_044DAEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044DDEF43_2_044DDEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044C38453_2_044C3845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044C20433_2_044C2043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044E08D13_2_044E08D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044D90BA3_2_044D90BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044DD99A3_2_044DD99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044C2A463_2_044C2A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044DCAA83_2_044DCAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044C93843_2_044C9384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044D7BB23_2_044D7BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044DE4413_2_044DE441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044C1C763_2_044C1C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044C8C093_2_044C8C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044D1C103_2_044D1C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044CEC273_2_044CEC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044DCCD43_2_044DCCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044CCC8D3_2_044CCC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044D748A3_2_044D748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044DAC9B3_2_044DAC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044CAC953_2_044CAC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044C3C913_2_044C3C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044D44AA3_2_044D44AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044C35023_2_044C3502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044C251C3_2_044C251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044DFD103_2_044DFD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044E25C33_2_044E25C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044C55E83_2_044C55E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044CC5FE3_2_044CC5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044D4D8D3_2_044D4D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044C758F3_2_044C758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044CFD913_2_044CFD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044D9DA13_2_044D9DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044C26543_2_044C2654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044C9E223_2_044C9E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044DBEC93_2_044DBEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044D7ED13_2_044D7ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044D4E8A3_2_044D4E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044E06873_2_044E0687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044DD6A73_2_044DD6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044CFEA03_2_044CFEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044C3F5C3_2_044C3F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044D1F6B3_2_044D1F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044D577E3_2_044D577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044C6FC43_2_044C6FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044DBFE83_2_044DBFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044C4F8E3_2_044C4F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044D2FA23_2_044D2FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044CBFB63_2_044CBFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044CA0483_2_044CA048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044D406E3_2_044D406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044DF83F3_2_044DF83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044C30F63_2_044C30F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044DA8F03_2_044DA8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044DD0913_2_044DD091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044D78A53_2_044D78A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044D98BD3_2_044D98BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044DF14D3_2_044DF14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044CC1583_2_044CC158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044E292B3_2_044E292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044C59233_2_044C5923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044E11933_2_044E1193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044DB1B53_2_044DB1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044C9A573_2_044C9A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044C1A0A3_2_044C1A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044C220A3_2_044C220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044CE21C3_2_044CE21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044D52203_2_044D5220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044CD2233_2_044CD223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044E1A3C3_2_044E1A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044D0ADE3_2_044D0ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044C72833_2_044C7283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044CDAAE3_2_044CDAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044C5AB23_2_044C5AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044C33453_2_044C3345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044E13433_2_044E1343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044C23093_2_044C2309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044C6B253_2_044C6B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044E0B343_2_044E0B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044CA3DF3_2_044CA3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044E03F13_2_044E03F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044DB3973_2_044DB397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044D4BAA3_2_044D4BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_044D43B33_2_044D43B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E4CAA84_2_00E4CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E3441E4_2_00E3441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E443B34_2_00E443B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E4ECE34_2_00E4ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E4AEEB4_2_00E4AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E4DEF44_2_00E4DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E4A8F04_2_00E4A8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E330F64_2_00E330F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E4BEC94_2_00E4BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E4CCD44_2_00E4CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E508D14_2_00E508D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E47ED14_2_00E47ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E40ADE4_2_00E40ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E478A54_2_00E478A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E3FEA04_2_00E3FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E4D6A74_2_00E4D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E3DAAE4_2_00E3DAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E444AA4_2_00E444AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E35AB24_2_00E35AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E498BD4_2_00E498BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E490BA4_2_00E490BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E372834_2_00E37283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E506874_2_00E50687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E44E8A4_2_00E44E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E4748A4_2_00E4748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E3CC8D4_2_00E3CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E33C914_2_00E33C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E4D0914_2_00E4D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E3AC954_2_00E3AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E4AC9B4_2_00E4AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E4406E4_2_00E4406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E31C764_2_00E31C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E320434_2_00E32043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E32A464_2_00E32A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E4E4414_2_00E4E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E338454_2_00E33845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E3A0484_2_00E3A048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E39A574_2_00E39A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E326544_2_00E32654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E3D2234_2_00E3D223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E39E224_2_00E39E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E452204_2_00E45220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E3EC274_2_00E3EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E51A3C4_2_00E51A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E4F83F4_2_00E4F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E34C004_2_00E34C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E31A0A4_2_00E31A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E3220A4_2_00E3220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E38C094_2_00E38C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E41C104_2_00E41C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E3F41F4_2_00E3F41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E3E21C4_2_00E3E21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E355E84_2_00E355E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E4BFE84_2_00E4BFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E503F14_2_00E503F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E3C5FE4_2_00E3C5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E525C34_2_00E525C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E36FC44_2_00E36FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E3A3DF4_2_00E3A3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E49DA14_2_00E49DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E42FA24_2_00E42FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E44BAA4_2_00E44BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E4B1B54_2_00E4B1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E3BFB64_2_00E3BFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E47BB24_2_00E47BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E393844_2_00E39384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E44D8D4_2_00E44D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E3758F4_2_00E3758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E34F8E4_2_00E34F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E3FD914_2_00E3FD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E4B3974_2_00E4B397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E511934_2_00E51193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E4D99A4_2_00E4D99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E4056A4_2_00E4056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E41F6B4_2_00E41F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E4577E4_2_00E4577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E333454_2_00E33345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E513434_2_00E51343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E4F14D4_2_00E4F14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E3C1584_2_00E3C158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E33F5C4_2_00E33F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E359234_2_00E35923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E36B254_2_00E36B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E5292B4_2_00E5292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E50B344_2_00E50B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E335024_2_00E33502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E323094_2_00E32309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E4FD104_2_00E4FD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00E3251C4_2_00E3251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045C441E7_2_045C441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045DCAA87_2_045DCAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045D43B37_2_045D43B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045C26547_2_045C2654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045C9A577_2_045C9A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045CA0487_2_045CA048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045C38457_2_045C3845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045C2A467_2_045C2A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045DE4417_2_045DE441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045C20437_2_045C2043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045C1C767_2_045C1C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045D406E7_2_045D406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045CE21C7_2_045CE21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045CF41F7_2_045CF41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045D1C107_2_045D1C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045C8C097_2_045C8C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045C1A0A7_2_045C1A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045C220A7_2_045C220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045C4C007_2_045C4C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045DF83F7_2_045DF83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045E1A3C7_2_045E1A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045CEC277_2_045CEC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045D52207_2_045D5220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045C9E227_2_045C9E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045CD2237_2_045CD223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045D0ADE7_2_045D0ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045DCCD47_2_045DCCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045D7ED17_2_045D7ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045E08D17_2_045E08D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045DBEC97_2_045DBEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045DDEF47_2_045DDEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045C30F67_2_045C30F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045DA8F07_2_045DA8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045DAEEB7_2_045DAEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045DECE37_2_045DECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045DAC9B7_2_045DAC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045CAC957_2_045CAC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045DD0917_2_045DD091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045C3C917_2_045C3C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045CCC8D7_2_045CCC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045D4E8A7_2_045D4E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045D748A7_2_045D748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045E06877_2_045E0687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045C72837_2_045C7283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045D98BD7_2_045D98BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045D90BA7_2_045D90BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045C5AB27_2_045C5AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045CDAAE7_2_045CDAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045D44AA7_2_045D44AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045D78A57_2_045D78A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045DD6A77_2_045DD6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045CFEA07_2_045CFEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045C3F5C7_2_045C3F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045CC1587_2