Loading ...

Play interactive tourEdit tour

Windows Analysis Report EzCOXP6oxy

Overview

General Information

Sample Name:EzCOXP6oxy (renamed file extension from none to dll)
Analysis ID:528695
MD5:0c32d4334246cc061e80fc9cf0780a58
SHA1:eec70a7ff5e0ed8adb1bba38021dc2fdf0b1081d
SHA256:c4e9dbb3e3b37e36574a8d963f3ba83d61beceedfb640e9592b0a416396ca46e
Tags:32dllexetrojan
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Potential key logger detected (key state polling based)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • svchost.exe (PID: 4596 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • loaddll32.exe (PID: 6828 cmdline: loaddll32.exe "C:\Users\user\Desktop\EzCOXP6oxy.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 5880 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\EzCOXP6oxy.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6656 cmdline: rundll32.exe "C:\Users\user\Desktop\EzCOXP6oxy.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6240 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\EzCOXP6oxy.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 3996 cmdline: rundll32.exe C:\Users\user\Desktop\EzCOXP6oxy.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 4036 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Nqaukzzzqxw\injbvoyze.mwd",xjdXnltVst MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 4820 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Nqaukzzzqxw\injbvoyze.mwd",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • SgrmBroker.exe (PID: 6812 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 3640 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 2528 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 1296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6032 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4776 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5880 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6888 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.289870644.0000000004C20000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    0000000C.00000002.810681340.0000000005590000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      0000000C.00000002.810823822.00000000056B0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        0000000C.00000002.807533185.0000000000EC0000.00000040.00000010.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000007.00000002.293225547.0000000004E00000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            12.2.rundll32.exe.56b0000.14.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              12.2.rundll32.exe.5440000.8.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                10.2.rundll32.exe.ba0000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  7.2.rundll32.exe.4ba0000.4.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    7.2.rundll32.exe.4e00000.6.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 29 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Emotet RunDLL32 Process CreationShow sources
                      Source: Process startedAuthor: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Nqaukzzzqxw\injbvoyze.mwd",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Nqaukzzzqxw\injbvoyze.mwd",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Nqaukzzzqxw\injbvoyze.mwd",xjdXnltVst, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 4036, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Nqaukzzzqxw\injbvoyze.mwd",Control_RunDLL, ProcessId: 4820

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 7.2.rundll32.exe.4e00000.6.raw.unpackMalware Configuration Extractor: Emotet {"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: EzCOXP6oxy.dllVirustotal: Detection: 24%Perma Link
                      Machine Learning detection for sampleShow sources
                      Source: EzCOXP6oxy.dllJoe Sandbox ML: detected
                      Source: EzCOXP6oxy.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.3:49753 version: TLS 1.2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100331CA __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B01A80 FindFirstFileW,

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.3:49753 -> 51.178.61.60:443
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 51.178.61.60 187
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 51.178.61.60:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 45.79.33.48:8080
                      Source: Malware configuration extractorIPs: 196.44.98.190:8080
                      Source: Malware configuration extractorIPs: 177.72.80.14:7080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.169.10:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: EcobandGH EcobandGH
                      Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: GET /icsZGkxVGlJGXERpNMAkbBhZsRBvNu HTTP/1.1Cookie: VzjNaqMqfocdBX=JqOFPJj7PozLdKiIb0Q3hTC9S0ITJTlgaaPM+YcmQ+fGgQl2sU3kSVveu+UxKl7l5E+Vn1v6pOOBNhr6RStkjXoxolELe8X2rLolboD84KIbkDlniHtSL4LHWkLSPni84AFgz3zocxEbBvWcJ4AIekqVpd4PNQbkLSdE6RHCposw2iNPMgXzABlR4bdx4TfSbUboMCHHuhHdRCg++6AooUBOAMfdms1jbZdvw1sJsdZ86jaS+IXQjmI/Fz4GX2r0Zs0TBoVdanVa0yqwHost: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 196.44.98.190 196.44.98.190
                      Source: Joe Sandbox ViewIP Address: 78.46.73.125 78.46.73.125
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: svchost.exe, 00000012.00000003.392893440.0000029BE8565000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000012.00000003.392893440.0000029BE8565000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000012.00000003.392893440.0000029BE8565000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.392951757.0000029BE85A4000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z||.||797d024d-8c74-4faa-b6a6-08435801478b||1152921505694213184||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 00000012.00000003.392893440.0000029BE8565000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.392951757.0000029BE85A4000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z||.||797d024d-8c74-4faa-b6a6-08435801478b||1152921505694213184||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: rundll32.exe, rundll32.exe, 00000007.00000002.293578987.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.289963723.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.293837544.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.811051934.0000000010056000.00000002.00020000.sdmp, EzCOXP6oxy.dllString found in binary or memory: http://www.yahoo.com equals www.yahoo.com (Yahoo)
                      Source: svchost.exe, 00000012.00000002.409866458.0000029BE8500000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000012.00000002.409866458.0000029BE8500000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 00000012.00000003.388561812.0000029BE8573000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.388685824.0000029BE8A02000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.388655543.0000029BE8594000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 00000000.00000002.305931434.00000281D9613000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: rundll32.exe, rundll32.exe, 00000007.00000002.293578987.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.289963723.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.293837544.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.811051934.0000000010056000.00000002.00020000.sdmp, EzCOXP6oxy.dllString found in binary or memory: http://www.yahoo.com
                      Source: svchost.exe, 00000000.00000003.305609223.00000281D9661000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 00000000.00000003.305624709.00000281D965A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000000.00000003.305624709.00000281D965A000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305997290.00000281D965C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 00000000.00000003.305609223.00000281D9661000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 00000000.00000002.305968261.00000281D963D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 00000000.00000003.305624709.00000281D965A000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305997290.00000281D965C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 00000000.00000003.305609223.00000281D9661000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 00000000.00000003.305584881.00000281D9649000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305988649.00000281D964E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 00000000.00000003.305624709.00000281D965A000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305997290.00000281D965C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 00000000.00000003.305609223.00000281D9661000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 00000000.00000002.305968261.00000281D963D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 00000000.00000003.305609223.00000281D9661000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 00000000.00000003.305609223.00000281D9661000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 00000000.00000003.305609223.00000281D9661000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 00000000.00000003.283916723.00000281D9631000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 00000000.00000003.305660884.00000281D9641000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305642246.00000281D9640000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305976318.00000281D9642000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 00000000.00000003.305660884.00000281D9641000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305642246.00000281D9640000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305976318.00000281D9642000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 00000000.00000003.305609223.00000281D9661000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 00000000.00000003.305624709.00000281D965A000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305642246.00000281D9640000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305997290.00000281D965C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 00000000.00000003.283916723.00000281D9631000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
                      Source: svchost.exe, 00000012.00000003.388561812.0000029BE8573000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.388685824.0000029BE8A02000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.388655543.0000029BE8594000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000000.00000003.305624709.00000281D965A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 00000000.00000002.305997290.00000281D965C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 00000000.00000003.305624709.00000281D965A000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305997290.00000281D965C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 00000000.00000003.305655167.00000281D9645000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 00000000.00000003.305609223.00000281D9661000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 00000000.00000002.305968261.00000281D963D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000000.00000003.283916723.00000281D9631000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 00000000.00000002.305968261.00000281D963D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 00000000.00000002.305931434.00000281D9613000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305968261.00000281D963D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 00000000.00000003.283916723.00000281D9631000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 00000000.00000003.305642246.00000281D9640000.00000004.00000001.sdmp, svchost.exe, 00000000.00000003.305655167.00000281D9645000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 00000000.00000003.283916723.00000281D9631000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 00000000.00000003.283916723.00000281D9631000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305960947.00000281D963A000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 00000000.00000003.305584881.00000281D9649000.00000004.00000001.sdmp, svchost.exe, 00000000.00000002.305988649.00000281D964E000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: svchost.exe, 00000012.00000003.388561812.0000029BE8573000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.388685824.0000029BE8A02000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.388655543.0000029BE8594000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000012.00000003.388561812.0000029BE8573000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.388685824.0000029BE8A02000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.388655543.0000029BE8594000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000012.00000003.389642570.0000029BE85C8000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.389696294.0000029BE85B1000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.389711075.0000029BE8A02000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.389687376.0000029BE8590000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.389671797.0000029BE85C8000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B11027 InternetReadFile,
                      Source: global trafficHTTP traffic detected: GET /icsZGkxVGlJGXERpNMAkbBhZsRBvNu HTTP/1.1Cookie: VzjNaqMqfocdBX=JqOFPJj7PozLdKiIb0Q3hTC9S0ITJTlgaaPM+YcmQ+fGgQl2sU3kSVveu+UxKl7l5E+Vn1v6pOOBNhr6RStkjXoxolELe8X2rLolboD84KIbkDlniHtSL4LHWkLSPni84AFgz3zocxEbBvWcJ4AIekqVpd4PNQbkLSdE6RHCposw2iNPMgXzABlR4bdx4TfSbUboMCHHuhHdRCg++6AooUBOAMfdms1jbZdvw1sJsdZ86jaS+IXQjmI/Fz4GX2r0Zs0TBoVdanVa0yqwHost: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.3:49753 version: TLS 1.2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10023471 SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10013EC9 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 12.2.rundll32.exe.56b0000.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5440000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.ba0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4ba0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4e00000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.4ac0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5590000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.cb0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5100000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.56b0000.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5100000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4e00000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.cb0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4ab0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4c20000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.4ac0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.ec0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4e60000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.54a0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4ba0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.51e0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4ab0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4fc0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.ba0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.54a0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5590000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5440000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4e60000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4fc0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4c20000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.ec0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.57c0000.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.51e0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.57c0000.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.289870644.0000000004C20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.810681340.0000000005590000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.810823822.00000000056B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.807533185.0000000000EC0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.293225547.0000000004E00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.810439352.0000000005440000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.293389274.0000000004FC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.293071133.0000000004BA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.810235719.00000000051E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.810948594.00000000057C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.291762953.0000000000CB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.293302673.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.809655568.0000000004AC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.810054913.0000000005100000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.292938916.0000000004AB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.293307621.0000000004E60000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.810559507.00000000054A0000.00000040.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: EzCOXP6oxy.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Nqaukzzzqxw\injbvoyze.mwd:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Nqaukzzzqxw\Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10046A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10010E3B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1003FFA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455F41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04552043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045690BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04559384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04554C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04553845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045708D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456D99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04552A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04567BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045644AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04553502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045725C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455C5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045555E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04552654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04570687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455A048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045530F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455C158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456F14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04571193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456B1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455E21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04565220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455D223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04557283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04553345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04571343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04552309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455A3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045703F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456B397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045643B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04551C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04561C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04558C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04553C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456FD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455FD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04564D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04569DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04559E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04567ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04564E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04553F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04561F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04556FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456BFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04554F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455BFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04562FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0456A8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045698BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_045678A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04555923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0457292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04559A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04551A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04571A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04560ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04555AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0455DAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04570B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04556B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04564BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C643B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C708D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C67ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C60ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C530F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C70687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C57283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C64E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C53C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C678A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C644AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C55AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C698BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C690BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C53845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C52A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C52043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5A048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C52654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C59A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C51C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C54C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C58C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C51A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C61C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5E21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5F41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C65220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5D223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C59E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C71A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C56FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C725C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5A3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6BFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C703F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5C5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C59384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C64D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C54F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6B397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5FD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C71193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6D99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C62FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C69DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C64BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6B1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5BFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C67BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C53345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C71343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6F14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C53F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5C158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C61F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C53502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C52309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C6FD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C5251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C56B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C55923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C7292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04C70B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BECAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BE43B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BE98BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BE90BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD5AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BE44AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BED6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BE78A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BDFEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BEAC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BDAC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD3C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BED091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BDCC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BE4E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BE748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BF0687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD7283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BEDEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD30F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BEAEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BEECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BE0ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BECCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BF08D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BE7ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BEBEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BEF83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BF1A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BDEC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BE5220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BDD223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD9E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BDE21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BDF41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BE1C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD8C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD1A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD4C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD1C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BE406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD2654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD9A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BDA048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD3845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD2A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD2043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BEE441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BEB1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BDBFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BE7BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BE4BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BE2FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BE9DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BED99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BEB397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BDFD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BF1193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BE4D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD4F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD9384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BDC5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BF03F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BEBFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BDA3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD6FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BF25C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BF0B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BF292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD6B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD5923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BEFD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD2309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD3502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BE577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BE056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BE1F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD3F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BDC158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BEF14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BD3345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00BF1343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B078A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B044AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AF5AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B0748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AFAC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B0DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B0ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AF30F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B108D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B07ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AFEC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B0F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B05220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AF220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AF441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AF3845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AF2043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B02FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AFBFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B04BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AF758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AF9384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AF55E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AFC5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AF6FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B10B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AFDAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B090BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B098BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AFFEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B0D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B0CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B0D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AFCC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B0AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AF7283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B10687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B04E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AF3C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B0A8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B0AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B0CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B00ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B0BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AFD223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AF9E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B11A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B01C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AF1A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AF8C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AF4C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AFF41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AFE21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AF1C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B0406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AFA048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AF2A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B0E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AF9A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AF2654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B07BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B043B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B0B1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B09DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AF4F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B11193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B0B397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B0D99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B04D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AFFD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B103F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B0BFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AFA3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B125C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AF6B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AF5923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B1292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B0FD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AF2309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AF3502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AF251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B0577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B0056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B01F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AF3345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B11343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AF3F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04AFC158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04B0F14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10041CAB appears 90 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10041DB8 appears 37 times