Loading ...

Play interactive tourEdit tour

Windows Analysis Report EzCOXP6oxy

Overview

General Information

Sample Name:EzCOXP6oxy (renamed file extension from none to dll)
Analysis ID:528695
MD5:0c32d4334246cc061e80fc9cf0780a58
SHA1:eec70a7ff5e0ed8adb1bba38021dc2fdf0b1081d
SHA256:c4e9dbb3e3b37e36574a8d963f3ba83d61beceedfb640e9592b0a416396ca46e
Tags:32dllexetrojan
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Potential key logger detected (key state polling based)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • svchost.exe (PID: 4596 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • loaddll32.exe (PID: 6828 cmdline: loaddll32.exe "C:\Users\user\Desktop\EzCOXP6oxy.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 5880 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\EzCOXP6oxy.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6656 cmdline: rundll32.exe "C:\Users\user\Desktop\EzCOXP6oxy.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6240 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\EzCOXP6oxy.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 3996 cmdline: rundll32.exe C:\Users\user\Desktop\EzCOXP6oxy.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 4036 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Nqaukzzzqxw\injbvoyze.mwd",xjdXnltVst MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 4820 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Nqaukzzzqxw\injbvoyze.mwd",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • SgrmBroker.exe (PID: 6812 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 3640 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 2528 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 1296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6032 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4776 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5880 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6888 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.289870644.0000000004C20000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    0000000C.00000002.810681340.0000000005590000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      0000000C.00000002.810823822.00000000056B0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        0000000C.00000002.807533185.0000000000EC0000.00000040.00000010.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000007.00000002.293225547.0000000004E00000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            12.2.rundll32.exe.56b0000.14.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              12.2.rundll32.exe.5440000.8.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                10.2.rundll32.exe.ba0000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  7.2.rundll32.exe.4ba0000.4.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    7.2.rundll32.exe.4e00000.6.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 29 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Emotet RunDLL32 Process CreationShow sources
                      Source: Process startedAuthor: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Nqaukzzzqxw\injbvoyze.mwd",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Nqaukzzzqxw\injbvoyze.mwd",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Nqaukzzzqxw\injbvoyze.mwd",xjdXnltVst, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 4036, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Nqaukzzzqxw\injbvoyze.mwd",Control_RunDLL, ProcessId: 4820

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 7.2.rundll32.exe.4e00000.6.raw.unpackMalware Configuration Extractor: Emotet {"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: EzCOXP6oxy.dllVirustotal: Detection: 24%Perma Link
                      Machine Learning detection for sampleShow sources
                      Source: EzCOXP6oxy.dllJoe Sandbox ML: detected
                      Source: EzCOXP6oxy.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.3:49753 version: TLS 1.2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100331CA __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,7_2_100331CA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B01A80 FindFirstFileW,12_2_04B01A80

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.3:49753 -> 51.178.61.60:443
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 51.178.61.60 187Jump to behavior
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 51.178.61.60:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 45.79.33.48:8080
                      Source: Malware configuration extractorIPs: 196.44.98.190:8080
                      Source: Malware configuration extractorIPs: 177.72.80.14:7080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.169.10:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: EcobandGH EcobandGH
                      Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: GET /icsZGkxVGlJGXERpNMAkbBhZsRBvNu HTTP/1.1Cookie: VzjNaqMqfocdBX=JqOFPJj7PozLdKiIb0Q3hTC9S0ITJTlgaaPM+YcmQ+fGgQl2sU3kSVveu+UxKl7l5E+Vn1v6pOOBNhr6RStkjXoxolELe8X2rLolboD84KIbkDlniHtSL4LHWkLSPni84AFgz3zocxEbBvWcJ4AIekqVpd4PNQbkLSdE6RHCposw2iNPMgXzABlR4bdx4TfSbUboMCHHuhHdRCg++6AooUBOAMfdms1jbZdvw1sJsdZ86jaS+IXQjmI/Fz4GX2r0Zs0TBoVdanVa0yqwHost: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 196.44.98.190 196.44.98.190
                      Source: Joe Sandbox ViewIP Address: 78.46.73.125 78.46.73.125
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: svchost.exe, 00000012.00000003.392893440.0000029BE8565000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000012.00000003.392893440.0000029BE8565000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000012.00000003.392893440.0000029BE8565000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.392951757.0000029BE85A4000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z||.||797d024d-8c74-4faa-b6a6-08435801478b||1152921505694213184||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 00000012.00000003.392893440.0000029BE8565000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.392951757.0000029BE85A4000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z||.||797d024d-8c74-4faa-b6a6-08435801478b||1152921505694213184||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: rundll32.exe, rundll32.exe, 00000007.00000002.293578987.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.289963723.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.293837544.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.811051934.0000000010056000.00000002.00020000.sdmp, EzCOXP6oxy.dllString found in binary or memory: http://www.yahoo.com equals www.yahoo.com (Yahoo)
                      Source: svchost.exe, 00000012.00000002.409866458.0000029BE8500000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000012.00000002.409866458.0000029BE8500000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 00000012.00000003.388561812.0000029BE8573000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.388685824.0000029BE8A02000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.388655543.0000029BE8594000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 00000000.00000002.305931434.00000281D9613000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: rundll32.exe, rundll32.exe, 00000007.00000002.293578987.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.289963723.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.293837544.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.811051934.0000000010056000.00000002.00020000.sdmp, EzCOXP6oxy.dllString found in binary or memory: http://www.yahoo.com
                      Source: svchost.exe, 00000000.00000003.305609223.00000281D9661000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 00000000.00000003.305624709.00000281D965A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000000.00000003.305624709.00000281D965A000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305997290.00000281D965C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 00000000.00000003.305609223.00000281D9661000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 00000000.00000002.305968261.00000281D963D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 00000000.00000003.305624709.00000281D965A000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305997290.00000281D965C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 00000000.00000003.305609223.00000281D9661000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 00000000.00000003.305584881.00000281D9649000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305988649.00000281D964E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 00000000.00000003.305624709.00000281D965A000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305997290.00000281D965C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 00000000.00000003.305609223.00000281D9661000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 00000000.00000002.305968261.00000281D963D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 00000000.00000003.305609223.00000281D9661000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 00000000.00000003.305609223.00000281D9661000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 00000000.00000003.305609223.00000281D9661000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 00000000.00000003.283916723.00000281D9631000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 00000000.00000003.305660884.00000281D9641000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305642246.00000281D9640000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305976318.00000281D9642000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 00000000.00000003.305660884.00000281D9641000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305642246.00000281D9640000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305976318.00000281D9642000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 00000000.00000003.305609223.00000281D9661000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 00000000.00000003.305624709.00000281D965A000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305642246.00000281D9640000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305997290.00000281D965C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 00000000.00000003.283916723.00000281D9631000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
                      Source: svchost.exe, 00000012.00000003.388561812.0000029BE8573000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.388685824.0000029BE8A02000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.388655543.0000029BE8594000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000000.00000003.305624709.00000281D965A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 00000000.00000002.305997290.00000281D965C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 00000000.00000003.305624709.00000281D965A000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305997290.00000281D965C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 00000000.00000003.305655167.00000281D9645000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 00000000.00000003.305609223.00000281D9661000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 00000000.00000002.305968261.00000281D963D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000000.00000003.283916723.00000281D9631000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 00000000.00000002.305968261.00000281D963D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 00000000.00000002.305931434.00000281D9613000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305968261.00000281D963D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 00000000.00000003.283916723.00000281D9631000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 00000000.00000003.305642246.00000281D9640000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305655167.00000281D9645000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 00000000.00000003.283916723.00000281D9631000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 00000000.00000003.283916723.00000281D9631000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305960947.00000281D963A000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 00000000.00000003.305584881.00000281D9649000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305988649.00000281D964E000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: svchost.exe, 00000012.00000003.388561812.0000029BE8573000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.388685824.0000029BE8A02000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.388655543.0000029BE8594000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000012.00000003.388561812.0000029BE8573000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.388685824.0000029BE8A02000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.388655543.0000029BE8594000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000012.00000003.389642570.0000029BE85C8000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.389696294.0000029BE85B1000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.389711075.0000029BE8A02000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.389687376.0000029BE8590000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.389671797.0000029BE85C8000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B11027 InternetReadFile,12_2_04B11027
                      Source: global trafficHTTP traffic detected: GET /icsZGkxVGlJGXERpNMAkbBhZsRBvNu HTTP/1.1Cookie: VzjNaqMqfocdBX=JqOFPJj7PozLdKiIb0Q3hTC9S0ITJTlgaaPM+YcmQ+fGgQl2sU3kSVveu+UxKl7l5E+Vn1v6pOOBNhr6RStkjXoxolELe8X2rLolboD84KIbkDlniHtSL4LHWkLSPni84AFgz3zocxEbBvWcJ4AIekqVpd4PNQbkLSdE6RHCposw2iNPMgXzABlR4bdx4TfSbUboMCHHuhHdRCg++6AooUBOAMfdms1jbZdvw1sJsdZ86jaS+IXQjmI/Fz4GX2r0Zs0TBoVdanVa0yqwHost: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.3:49753 version: TLS 1.2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10023471 SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,7_2_10023471
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10013EC9 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,7_2_10013EC9

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 12.2.rundll32.exe.56b0000.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5440000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.ba0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4ba0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4e00000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.4ac0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5590000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.cb0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5100000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.56b0000.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5100000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4e00000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.cb0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4ab0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4c20000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.4ac0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.ec0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4e60000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.54a0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4ba0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.51e0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4ab0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4fc0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.ba0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.54a0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5590000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5440000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4e60000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4fc0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4c20000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.ec0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.57c0000.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.51e0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.57c0000.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.289870644.0000000004C20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.810681340.0000000005590000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.810823822.00000000056B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.807533185.0000000000EC0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.293225547.0000000004E00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.810439352.0000000005440000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.293389274.0000000004FC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.293071133.0000000004BA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.810235719.00000000051E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.810948594.00000000057C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.291762953.0000000000CB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.293302673.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.809655568.0000000004AC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.810054913.0000000005100000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.292938916.0000000004AB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.293307621.0000000004E60000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.810559507.00000000054A0000.00000040.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: EzCOXP6oxy.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Nqaukzzzqxw\injbvoyze.mwd:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Nqaukzzzqxw\Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10046A467_2_10046A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10010E3B7_2_10010E3B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1003FFA27_2_1003FFA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455F41F7_2_0455F41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455441E7_2_0455441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456056A7_2_0456056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045520437_2_04552043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045690BA7_2_045690BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045593847_2_04559384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04554C007_2_04554C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456ECE37_2_0456ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456DEF47_2_0456DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456AEEB7_2_0456AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045538457_2_04553845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045708D17_2_045708D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456D99A7_2_0456D99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04552A467_2_04552A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456CAA87_2_0456CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04567BB27_2_04567BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456E4417_2_0456E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456748A7_2_0456748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045644AA7_2_045644AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455251C7_2_0455251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045535027_2_04553502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045725C37_2_045725C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455C5FE7_2_0455C5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045555E87_2_045555E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455758F7_2_0455758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045526547_2_04552654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045706877_2_04570687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456D6A77_2_0456D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456577E7_2_0456577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455A0487_2_0455A048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456406E7_2_0456406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045530F67_2_045530F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456D0917_2_0456D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455C1587_2_0455C158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456F14D7_2_0456F14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045711937_2_04571193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456B1B57_2_0456B1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455E21C7_2_0455E21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455220A7_2_0455220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045652207_2_04565220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455D2237_2_0455D223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045572837_2_04557283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045533457_2_04553345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045713437_2_04571343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045523097_2_04552309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455A3DF7_2_0455A3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045703F17_2_045703F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456B3977_2_0456B397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045643B37_2_045643B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04551C767_2_04551C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04561C107_2_04561C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04558C097_2_04558C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455EC277_2_0455EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456CCD47_2_0456CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455AC957_2_0455AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04553C917_2_04553C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456AC9B7_2_0456AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455CC8D7_2_0455CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456FD107_2_0456FD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455FD917_2_0455FD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04564D8D7_2_04564D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04569DA17_2_04569DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04559E227_2_04559E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04567ED17_2_04567ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456BEC97_2_0456BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04564E8A7_2_04564E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455FEA07_2_0455FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04553F5C7_2_04553F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04561F6B7_2_04561F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04556FC47_2_04556FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456BFE87_2_0456BFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04554F8E7_2_04554F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455BFB67_2_0455BFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04562FA27_2_04562FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456F83F7_2_0456F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456A8F07_2_0456A8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045698BD7_2_045698BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045678A57_2_045678A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045559237_2_04555923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0457292B7_2_0457292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04559A577_2_04559A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04551A0A7_2_04551A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04571A3C7_2_04571A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04560ADE7_2_04560ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04555AB27_2_04555AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455DAAE7_2_0455DAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04570B347_2_04570B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04556B257_2_04556B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04564BAA7_2_04564BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6CAA88_2_04C6CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5441E8_2_04C5441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C643B38_2_04C643B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6BEC98_2_04C6BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6CCD48_2_04C6CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C708D18_2_04C708D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C67ED18_2_04C67ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C60ADE8_2_04C60ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6ECE38_2_04C6ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6AEEB8_2_04C6AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6DEF48_2_04C6DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C530F68_2_04C530F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C706878_2_04C70687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C572838_2_04C57283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5CC8D8_2_04C5CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C64E8A8_2_04C64E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6748A8_2_04C6748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5AC958_2_04C5AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C53C918_2_04C53C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6D0918_2_04C6D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6AC9B8_2_04C6AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6D6A78_2_04C6D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C678A58_2_04C678A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5FEA08_2_04C5FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C644AA8_2_04C644AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C55AB28_2_04C55AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C698BD8_2_04C698BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C690BA8_2_04C690BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C538458_2_04C53845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C52A468_2_04C52A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C520438_2_04C52043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6E4418_2_04C6E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5A0488_2_04C5A048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C526548_2_04C52654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C59A578_2_04C59A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6406E8_2_04C6406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C51C768_2_04C51C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C54C008_2_04C54C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C58C098_2_04C58C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C51A0A8_2_04C51A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5220A8_2_04C5220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C61C108_2_04C61C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5E21C8_2_04C5E21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5F41F8_2_04C5F41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5EC278_2_04C5EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C652208_2_04C65220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5D2238_2_04C5D223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C59E228_2_04C59E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6F83F8_2_04C6F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C71A3C8_2_04C71A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C56FC48_2_04C56FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C725C38_2_04C725C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5A3DF8_2_04C5A3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6BFE88_2_04C6BFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C703F18_2_04C703F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5C5FE8_2_04C5C5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C593848_2_04C59384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5758F8_2_04C5758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C64D8D8_2_04C64D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C54F8E8_2_04C54F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6B3978_2_04C6B397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5FD918_2_04C5FD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C711938_2_04C71193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6D99A8_2_04C6D99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C62FA28_2_04C62FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C69DA18_2_04C69DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C64BAA8_2_04C64BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6B1B58_2_04C6B1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5BFB68_2_04C5BFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C67BB28_2_04C67BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C533458_2_04C53345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C713438_2_04C71343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6F14D8_2_04C6F14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C53F5C8_2_04C53F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5C1588_2_04C5C158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6056A8_2_04C6056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C61F6B8_2_04C61F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6577E8_2_04C6577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C535028_2_04C53502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C523098_2_04C52309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6FD108_2_04C6FD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5251C8_2_04C5251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C56B258_2_04C56B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C559238_2_04C55923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C7292B8_2_04C7292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C70B348_2_04C70B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BECAA810_2_00BECAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD441E10_2_00BD441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BE43B310_2_00BE43B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BE98BD10_2_00BE98BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BE90BA10_2_00BE90BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD5AB210_2_00BD5AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BE44AA10_2_00BE44AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BED6A710_2_00BED6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BE78A510_2_00BE78A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BDFEA010_2_00BDFEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BEAC9B10_2_00BEAC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BDAC9510_2_00BDAC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD3C9110_2_00BD3C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BED09110_2_00BED091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BDCC8D10_2_00BDCC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BE4E8A10_2_00BE4E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BE748A10_2_00BE748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BF068710_2_00BF0687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD728310_2_00BD7283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BEDEF410_2_00BEDEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD30F610_2_00BD30F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BEAEEB10_2_00BEAEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BEECE310_2_00BEECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BE0ADE10_2_00BE0ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BECCD410_2_00BECCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BF08D110_2_00BF08D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BE7ED110_2_00BE7ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BEBEC910_2_00BEBEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BEF83F10_2_00BEF83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BF1A3C10_2_00BF1A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BDEC2710_2_00BDEC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BE522010_2_00BE5220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BDD22310_2_00BDD223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD9E2210_2_00BD9E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BDE21C10_2_00BDE21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BDF41F10_2_00BDF41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BE1C1010_2_00BE1C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD8C0910_2_00BD8C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD1A0A10_2_00BD1A0A
                      Source: C:\Windows\SysWOW64\rundll32.e