Loading ...

Play interactive tourEdit tour

Windows Analysis Report NjTYb3VyzV

Overview

General Information

Sample Name:NjTYb3VyzV (renamed file extension from none to dll)
Analysis ID:528810
MD5:944f5dec057269043eeb02d551e1593f
SHA1:c6dc40330793e23a88753d1a5ba18142a0eb33b9
SHA256:651b117d5a6c37b255cbfa465740b4ea3cea29d41175338c83b1d5b416c29a01
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 3012 cmdline: loaddll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 1536 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4624 cmdline: rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 4692 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5116 cmdline: rundll32.exe C:\Users\user\Desktop\NjTYb3VyzV.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6648 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xzrjbnqqcb\ruunnfqf.mlu",ZUcsEM MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 1972 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Xzrjbnqqcb\ruunnfqf.mlu",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 5732 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7012 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6080 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5440 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3180 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"], "C2 list": ["91.200.186.228:443", "41.76.108.46:8080", "188.165.214.166:7080", "191.252.196.221:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.868792580.0000000004CE0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000002.00000002.349560826.0000000004B40000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000002.00000002.349903901.0000000004CF0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000002.00000002.349400359.00000000046F0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000002.00000002.350183619.0000000004ED0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.rundll32.exe.4ce0000.14.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              2.2.rundll32.exe.4cf0000.4.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                8.2.rundll32.exe.5140000.22.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  2.2.rundll32.exe.4ed0000.8.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    8.2.rundll32.exe.4980000.8.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 35 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Emotet RunDLL32 Process CreationShow sources
                      Source: Process startedAuthor: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Xzrjbnqqcb\ruunnfqf.mlu",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Xzrjbnqqcb\ruunnfqf.mlu",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xzrjbnqqcb\ruunnfqf.mlu",ZUcsEM, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 6648, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Xzrjbnqqcb\ruunnfqf.mlu",Control_RunDLL, ProcessId: 1972

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 8.2.rundll32.exe.4980000.8.raw.unpackMalware Configuration Extractor: Emotet {"Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"], "C2 list": ["91.200.186.228:443", "41.76.108.46:8080", "188.165.214.166:7080", "191.252.196.221:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: NjTYb3VyzV.dllVirustotal: Detection: 13%Perma Link
                      Machine Learning detection for sampleShow sources
                      Source: NjTYb3VyzV.dllJoe Sandbox ML: detected
                      Source: NjTYb3VyzV.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_100062E3 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z,__EH_prolog3,lstrlenA,FtpFindFirstFileA,2_2_100062E3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10004E7C FindFirstFileA,GetLastError,lstrlenA,SetLastError,__fullpath,__splitpath_s,__makepath_s,2_2_10004E7C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0418B2CC FindFirstFileW,8_2_0418B2CC

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404346 ET CNC Feodo Tracker Reported CnC Server TCP group 24 192.168.2.6:49762 -> 91.200.186.228:443
                      Source: TrafficSnort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 41.76.108.46:8080 -> 192.168.2.6:49765
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 41.76.108.46 144Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 91.200.186.228 187Jump to behavior
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 91.200.186.228:443
                      Source: Malware configuration extractorIPs: 41.76.108.46:8080
                      Source: Malware configuration extractorIPs: 188.165.214.166:7080
                      Source: Malware configuration extractorIPs: 191.252.196.221:8080
                      Source: Malware configuration extractorIPs: 103.8.26.103:8080
                      Source: Malware configuration extractorIPs: 185.184.25.237:8080
                      Source: Malware configuration extractorIPs: 103.8.26.102:8080
                      Source: Malware configuration extractorIPs: 178.79.147.66:8080
                      Source: Malware configuration extractorIPs: 58.227.42.236:80
                      Source: Malware configuration extractorIPs: 45.118.135.203:7080
                      Source: Malware configuration extractorIPs: 103.75.201.2:443
                      Source: Malware configuration extractorIPs: 195.154.133.20:443
                      Source: Malware configuration extractorIPs: 45.142.114.231:8080
                      Source: Malware configuration extractorIPs: 212.237.5.209:443
                      Source: Malware configuration extractorIPs: 207.38.84.195:8080
                      Source: Malware configuration extractorIPs: 104.251.214.46:8080
                      Source: Malware configuration extractorIPs: 212.237.17.99:8080
                      Source: Malware configuration extractorIPs: 212.237.56.116:7080
                      Source: Malware configuration extractorIPs: 216.158.226.206:443
                      Source: Malware configuration extractorIPs: 110.232.117.186:8080
                      Source: Malware configuration extractorIPs: 158.69.222.101:443
                      Source: Malware configuration extractorIPs: 107.182.225.142:8080
                      Source: Malware configuration extractorIPs: 176.104.106.96:8080
                      Source: Malware configuration extractorIPs: 81.0.236.90:443
                      Source: Malware configuration extractorIPs: 50.116.54.215:443
                      Source: Malware configuration extractorIPs: 138.185.72.26:8080
                      Source: Malware configuration extractorIPs: 51.68.175.8:8080
                      Source: Malware configuration extractorIPs: 210.57.217.132:8080
                      Source: Joe Sandbox ViewASN Name: OnlineSASFR OnlineSASFR
                      Source: Joe Sandbox ViewASN Name: ARUBA-ASNIT ARUBA-ASNIT
                      Source: Joe Sandbox ViewIP Address: 195.154.133.20 195.154.133.20
                      Source: Joe Sandbox ViewIP Address: 212.237.17.99 212.237.17.99
                      Source: global trafficTCP traffic: 192.168.2.6:49765 -> 41.76.108.46:8080
                      Source: unknownNetwork traffic detected: IP country count 19
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.200.186.228
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.200.186.228
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.200.186.228
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.200.186.228
                      Source: unknownTCP traffic detected without corresponding DNS query: 41.76.108.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 41.76.108.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 41.76.108.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 41.76.108.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 41.76.108.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 41.76.108.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 41.76.108.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 41.76.108.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 41.76.108.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 41.76.108.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 41.76.108.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 41.76.108.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 41.76.108.46
                      Source: svchost.exe, 00000011.00000003.466913007.00000125DAD8E000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000011.00000003.466913007.00000125DAD8E000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000011.00000003.466921694.00000125DAD9F000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.466913007.00000125DAD8E000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z||.||797d024d-8c74-4faa-b6a6-08435801478b||1152921505694213184||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 00000011.00000003.466921694.00000125DAD9F000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.466913007.00000125DAD8E000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z||.||797d024d-8c74-4faa-b6a6-08435801478b||1152921505694213184||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 00000011.00000002.483653675.00000125DAD00000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.862144227.00000197B5861000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000011.00000002.483357499.00000125DA4EE000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.862144227.00000197B5861000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: 77EC63BDA74BD0D0E0426DC8F80085060.8.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: svchost.exe, 00000011.00000003.462591154.00000125DAD90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462696616.00000125DAD9A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462672365.00000125DAD7E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462719021.00000125DADD0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462749971.00000125DADD0000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 00000011.00000003.462591154.00000125DAD90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462696616.00000125DAD9A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462672365.00000125DAD7E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462719021.00000125DADD0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462749971.00000125DADD0000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000011.00000003.462591154.00000125DAD90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462696616.00000125DAD9A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462672365.00000125DAD7E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462719021.00000125DADD0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462749971.00000125DADD0000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000011.00000003.462591154.00000125DAD90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462696616.00000125DAD9A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462672365.00000125DAD7E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462719021.00000125DADD0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462749971.00000125DADD0000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000011.00000003.463658536.00000125DAD7E000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_041818CA InternetReadFile,8_2_041818CA
                      Source: loaddll32.exe, 00000000.00000002.350641355.0000000000FCB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10009963 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,2_2_10009963

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 8.2.rundll32.exe.4ce0000.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.4cf0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5140000.22.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.4ed0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4980000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.46f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.46f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.4b40000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4820000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4dc0000.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.4cf0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4980000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4620000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4030000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4090000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.49e0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.45f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.50c0000.20.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.4e70000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4620000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4ec0000.18.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.670000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4bc0000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.670000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5140000.22.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4bc0000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4820000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.49e0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4ec0000.18.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.45f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.50c0000.20.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4090000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4dc0000.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.4ed0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.5130000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4ce0000.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.5130000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.4e70000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.868792580.0000000004CE0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.349560826.0000000004B40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.349903901.0000000004CF0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.349400359.00000000046F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.350183619.0000000004ED0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.868395885.0000000004820000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.868126623.0000000004090000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.869093007.00000000050C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.351790067.0000000004030000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.867289690.0000000000670000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.868949205.0000000004EC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.350335367.0000000005130000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.868865834.0000000004DC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.868491768.0000000004980000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.869173450.0000000005140000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.868282805.0000000004620000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.348479056.00000000045F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.868570789.00000000049E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.350044975.0000000004E70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.868675450.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: NjTYb3VyzV.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Xzrjbnqqcb\ruunnfqf.mlu:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Xzrjbnqqcb\Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_100141F12_2_100141F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_1000B24B2_2_1000B24B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_100232772_2_10023277
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_100145C52_2_100145C5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_100227EF2_2_100227EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_1002396F2_2_1002396F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_100149D12_2_100149D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10013D1C2_2_10013D1C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10022D332_2_10022D33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10014DF12_2_10014DF1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_1001AE222_2_1001AE22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10024F422_2_10024F42
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_047244102_2_04724410
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_047374A82_2_047374A8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_047385632_2_04738563
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0472E6C72_2_0472E6C7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0473A0492_2_0473A049
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_047363492_2_04736349
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04737C072_2_04737C07
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0473FCD82_2_0473FCD8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04730F1B2_2_04730F1B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0472480A2_2_0472480A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_047238942_2_04723894
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_047309F32_2_047309F3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04734A722_2_04734A72
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0473FABB2_2_0473FABB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0472BA952_2_0472BA95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0473F43B2_2_0473F43B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_047354062_2_04735406
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0472D4072_2_0472D407
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_047424FA2_2_047424FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_047284B52_2_047284B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0473848F2_2_0473848F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0472F5742_2_0472F574
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0473D5302_2_0473D530
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_047265A12_2_047265A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0473E5A82_2_0473E5A8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_047275A92_2_047275A9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_047306102_2_04730610
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0473A6142_2_0473A614
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0473261D2_2_0473261D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_047266932_2_04726693
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_047227352_2_04722735
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0472F71C2_2_0472F71C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_047287842_2_04728784
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0472F07C2_2_0472F07C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0472606B2_2_0472606B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0472C0E42_2_0472C0E4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0473B0DD2_2_0473B0DD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0472E09E2_2_0472E09E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_047420812_2_04742081
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0473708B2_2_0473708B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0473313F2_2_0473313F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0472226A2_2_0472226A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0472825D2_2_0472825D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0473D2E62_2_0473D2E6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0472E2D72_2_0472E2D7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0472A34E2_2_0472A34E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_047313D72_2_047313D7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0473B3B82_2_0473B3B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_047393A02_2_047393A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_047383892_2_04738389
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0473EC2D2_2_0473EC2D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04727C102_2_04727C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04734CF52_2_04734CF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04735CA02_2_04735CA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0473BD6A2_2_0473BD6A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04724D322_2_04724D32
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0472ED392_2_0472ED39
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0473AD262_2_0473AD26
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0472DD022_2_0472DD02
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04736DF82_2_04736DF8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0473DDD12_2_0473DDD1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04721DB22_2_04721DB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04725E782_2_04725E78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0472CE302_2_0472CE30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0473CED52_2_0473CED5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04731F7B2_2_04731F7B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0473EF6D2_2_0473EF6D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0472CF392_2_0472CF39
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0472AFF02_2_0472AFF0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0473E84B2_2_0473E84B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0473584C2_2_0473584C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_047338F02_2_047338F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0472C8D32_2_0472C8D3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_047398862_2_04739886
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_047259732_2_04725973
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0473F93D2_2_0473F93D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0472193C2_2_0472193C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_047299D72_2_047299D7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_047389962_2_04738996
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0473D99C2_2_0473D99C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04742A782_2_04742A78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04727A512_2_04727A51
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0472FA3C2_2_0472FA3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04737AF52_2_04737AF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0472CAD52_2_0472CAD5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04726B582_2_04726B58
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04731BB72_2_04731BB7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04741B952_2_04741B95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04634A723_2_04634A72
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046238943_2_04623894
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0462226A3_2_0462226A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0462606B3_2_0462606B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04625E783_2_04625E78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04642A783_2_04642A78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0462F07C3_2_0462F07C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0463E84B3_2_0463E84B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0463A0493_2_0463A049
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0463584C3_2_0463584C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04627A513_2_04627A51
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0462825D3_2_0462825D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0463EC2D3_2_0463EC2D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0462CE303_2_0462CE30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0463F43B3_2_0463F43B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0462FA3C3_2_0462FA3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04637C073_2_04637C07
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046354063_2_04635406
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0462D4073_2_0462D407
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0462480A3_2_0462480A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046244103_2_04624410
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04627C103_2_04627C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046306103_2_04630610
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0463A6143_2_0463A614
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0463261D3_2_0463261D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0463D2E63_2_0463D2E6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0462C0E43_2_0462C0E4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046338F03_2_046338F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04637AF53_2_04637AF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04634CF53_2_04634CF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046424FA3_2_046424FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0462E6C73_2_0462E6C7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0462C8D33_2_0462C8D3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0462E2D73_2_0462E2D7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0463CED53_2_0463CED5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0462CAD53_2_0462CAD5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0463FCD83_2_0463FCD8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0463B0DD3_2_0463B0DD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04635CA03_2_04635CA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046374A83_2_046374A8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046284B53_2_046284B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0463FABB3_2_0463FABB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046420813_2_04642081
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046398863_2_04639886
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0463708B3_2_0463708B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0463848F3_2_0463848F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046266933_2_04626693
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0462BA953_2_0462BA95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0462E09E3_2_0462E09E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046385633_2_04638563
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0463BD6A3_2_0463BD6A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0463EF6D3_2_0463EF6D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046259733_2_04625973
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0462F5743_2_0462F574
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04631F7B3_2_04631F7B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046363493_2_04636349
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0462A34E3_2_0462A34E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04626B583_2_04626B58
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0463AD263_2_0463AD26
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04624D323_2_04624D32
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0463D5303_2_0463D530
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046227353_2_04622735
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0462ED393_2_0462ED39
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0462CF393_2_0462CF39
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0463313F3_2_0463313F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0463F93D3_2_0463F93D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0462193C3_2_0462193C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0462DD023_2_0462DD02
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04630F1B3_2_04630F1B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0462F71C3_2_0462F71C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046309F33_2_046309F3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0462AFF03_2_0462AFF0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04636DF83_2_04636DF8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0463DDD13_2_0463DDD1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046313D73_2_046313D7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046299D73_2_046299D7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046265A13_2_046265A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046393A03_2_046393A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0463E5A83_2_0463E5A8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046275A93_2_046275A9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04621DB23_2_04621DB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04631BB73_2_04631BB7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0463B3B83_2_0463B3B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046287843_2_04628784
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046383893_2_04638389
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04641B953_2_04641B95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046389963_2_04638996
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0463D99C3_2_0463D99C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04074A726_2_04074A72
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_040638946_2_04063894
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04077C076_2_04077C07
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_040754066_2_04075406
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0406D4076_2_0406D407
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0406480A6_2_0406480A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0407A6146_2_0407A614
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_040644106_2_04064410
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04067C106_2_04067C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_040706106_2_04070610
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0407261D6_2_0407261D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0407EC2D6_2_0407EC2D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0406CE306_2_0406CE30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0406FA3C6_2_0406FA3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0407F43B6_2_0407F43B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0407584C6_2_0407584C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0407E84B6_2_0407E84B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0407A0496_2_0407A049
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04067A516_2_04067A51
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0406825D6_2_0406825D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0406226A6_2_0406226A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0406606B6_2_0406606B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04082A786_2_04082A78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0406F07C6_2_0406F07C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04065E786_2_04065E78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_040798866_2_04079886
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0407848F6_2_0407848F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_040820816_2_04082081
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0407708B6_2_0407708B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0406BA956_2_0406BA95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_040666936_2_04066693
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0406E09E6_2_0406E09E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04075CA06_2_04075CA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_040774A86_2_040774A8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_040684B56_2_040684B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0407FABB6_2_0407FABB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0406E6C76_2_0406E6C7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0406E2D76_2_0406E2D7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0407CED56_2_0407CED5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0406CAD56_2_0406CAD5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0406C8D36_2_0406C8D3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0407B0DD6_2_0407B0DD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0407FCD86_2_0407FCD8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0407D2E66_2_0407D2E6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0406C0E46_2_0406C0E4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04077AF56_2_04077AF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04074CF56_2_04074CF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_040824FA6_2_040824FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_040738F06_2_040738F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0406DD026_2_0406DD02
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0406F71C6_2_0406F71C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04070F1B6_2_04070F1B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0407AD266_2_0407AD26
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_040627356_2_04062735
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04064D326_2_04064D32
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0407D5306_2_0407D530
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0407313F6_2_0407313F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0407F93D6_2_0407F93D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0406193C6_2_0406193C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0406ED396_2_0406ED39
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0406CF396_2_0406CF39
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0406A34E6_2_0406A34E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_040763496_2_04076349
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04066B586_2_04066B58
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_040785636_2_04078563
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0407EF6D6_2_0407EF6D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0407BD6A6_2_0407BD6A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0406F5746_2_0406F574
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_040659736_2_04065973
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04071F7B6_2_04071F7B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_040687846_2_04068784
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_040783896_2_04078389
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_040789966_2_04078996
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0407D99C6_2_0407D99C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04081B956_2_04081B95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_040665A16_2_040665A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_040793A06_2_040793A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0407E5A86_2_0407E5A8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_040675A96_2_040675A9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04071BB76_2_04071BB7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04061DB2