Loading ...

Play interactive tourEdit tour

Windows Analysis Report aoPHg7b78c

Overview

General Information

Sample Name:aoPHg7b78c (renamed file extension from none to dll)
Analysis ID:553144
MD5:142b439bbfee0b501b2c25ac46f383c4
SHA1:711a48cd51c5ff6a638913b4d4fa64ae7ae85530
SHA256:23050d77ca088359fb1d6c3a5b201c56a55bf5be9137a6d69bca91f5b2cafbda
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Machine Learning detection for sample
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6720 cmdline: loaddll32.exe "C:\Users\user\Desktop\aoPHg7b78c.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6736 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\aoPHg7b78c.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6760 cmdline: rundll32.exe "C:\Users\user\Desktop\aoPHg7b78c.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 5288 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\aoPHg7b78c.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 6756 cmdline: regsvr32.exe /s C:\Users\user\Desktop\aoPHg7b78c.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • rundll32.exe (PID: 4812 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\aoPHg7b78c.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6752 cmdline: rundll32.exe C:\Users\user\Desktop\aoPHg7b78c.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 4696 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gmpumh\aylxdwzwghrxhxt.vai",AdUu MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 1496 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gmpumh\aylxdwzwghrxhxt.vai",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 5364 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6500 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5640 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2208 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.674927662.0000000004AC1000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000008.00000002.1182814824.00000000046B0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000008.00000002.1183507223.0000000004B91000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000006.00000002.673514281.0000000004E91000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000006.00000002.673381986.0000000004CD1000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 49 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.rundll32.exe.4ca0000.4.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              8.2.rundll32.exe.4b90000.15.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                6.2.rundll32.exe.4ca0000.4.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  6.2.rundll32.exe.4bc0000.3.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    6.2.rundll32.exe.2b30000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 76 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\aoPHg7b78c.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\aoPHg7b78c.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\aoPHg7b78c.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6736, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\aoPHg7b78c.dll",#1, ProcessId: 6760

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 4.2.rundll32.exe.4c10000.4.raw.unpackMalware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: aoPHg7b78c.dllVirustotal: Detection: 32%Perma Link
                      Machine Learning detection for sampleShow sources
                      Source: aoPHg7b78c.dllJoe Sandbox ML: detected
                      Source: aoPHg7b78c.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.4:49778 -> 45.138.98.34:80
                      Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.4:49779 -> 69.16.218.101:8080
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.16.218.101 144Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.138.98.34 80Jump to behavior
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 45.138.98.34:80
                      Source: Malware configuration extractorIPs: 69.16.218.101:8080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.168.220:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 104.131.62.48:8080
                      Source: Malware configuration extractorIPs: 62.171.178.147:8080
                      Source: Malware configuration extractorIPs: 217.182.143.207:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 210.57.209.142:8080
                      Source: Malware configuration extractorIPs: 159.69.237.188:443
                      Source: Malware configuration extractorIPs: 116.124.128.206:8080
                      Source: Malware configuration extractorIPs: 128.199.192.135:8080
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Malware configuration extractorIPs: 185.148.168.15:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 190.90.233.66:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 104.131.62.48 104.131.62.48
                      Source: global trafficTCP traffic: 192.168.2.4:49779 -> 69.16.218.101:8080
                      Source: unknownNetwork traffic detected: IP country count 11
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: svchost.exe, 00000011.00000003.781266166.000001AAEFB8C000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000011.00000003.781266166.000001AAEFB8C000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000011.00000003.781287560.000001AAEFB9D000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.781266166.000001AAEFB8C000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000011.00000003.781287560.000001AAEFB9D000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.781266166.000001AAEFB8C000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000011.00000003.781266166.000001AAEFB8C000.00000004.00000001.sdmpString found in binary or memory: ached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"level\":81,\"s
                      Source: svchost.exe, 00000011.00000003.781266166.000001AAEFB8C000.00000004.00000001.sdmpString found in binary or memory: ached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"level\":81,\"s
                      Source: svchost.exe, 00000011.00000002.796358525.000001AAEF2E1000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: 77EC63BDA74BD0D0E0426DC8F80085060.8.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: rundll32.exe, 00000008.00000003.703009687.0000000004D87000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c247070c01707
                      Source: svchost.exe, 00000011.00000003.776973344.000001AAEFB90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.776922582.000001AAEFB6C000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.777217767.000001AAEFBB0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.777193197.000001AAEFBD0000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 00000011.00000003.776973344.000001AAEFB90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.776922582.000001AAEFB6C000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.777217767.000001AAEFBB0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.777193197.000001AAEFBD0000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000011.00000003.776973344.000001AAEFB90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.776922582.000001AAEFB6C000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.777217767.000001AAEFBB0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.777193197.000001AAEFBD0000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000011.00000003.776973344.000001AAEFB90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.776922582.000001AAEFB6C000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.777217767.000001AAEFBB0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.777193197.000001AAEFBD0000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000011.00000003.778025380.000001AAEFB84000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.778051939.000001AAEFB95000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.778223427.000001AAEFBA6000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.778203433.000001AAEFB84000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100012D0 recvfrom,2_2_100012D0
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,2_2_1000FF59
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,3_2_1000FF59

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 6.2.rundll32.exe.4ca0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4b90000.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4ca0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4bc0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.2b30000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4b50000.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.44e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.e30000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4fc0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4e00000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.5030000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.46b0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.5030000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.3f10000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.47c0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4cc0000.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4950000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4610000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.5060000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4cd0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4a70000.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4fc0000.20.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4e60000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4c10000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4e30000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4cf0000.17.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4c40000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.46b0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4ff0000.21.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2490000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4fc0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4da0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.950000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4dd0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4e00000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.2b30000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4e90000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.46e0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2460000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.31a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4b00000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.44e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4ad0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4ec0000.18.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5050000.23.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4a40000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4570000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4b90000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4cc0000.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4ad0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4fc0000.20.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.950000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4920000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4990000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.48f0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4d70000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.48f0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4e00000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4ff0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4b50000.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4790000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4990000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4ac0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5020000.22.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4ec0000.18.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.3f10000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4790000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.31a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5020000.22.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4980000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4950000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4e60000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4d70000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4a40000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4c10000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.31e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4040000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2460000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4dd0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4ef0000.19.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4b90000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.674927662.0000000004AC1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1182814824.00000000046B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1183507223.0000000004B91000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.673514281.0000000004E91000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.673381986.0000000004CD1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1182936504.0000000004790000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.707714646.0000000005030000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.673427054.0000000004E00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.707287377.0000000004B01000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.673320480.0000000004BC1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1183112562.0000000004921000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1184000383.0000000004FF1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1183164104.0000000004950000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1183211680.0000000004981000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1183307427.0000000004A71000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.707424390.0000000004C41000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.674824431.0000000004990000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1183880919.0000000004EF1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.673478838.0000000004E60000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.665896517.00000000031E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.707256465.0000000004AD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.673357301.0000000004CA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.707551500.0000000004DA1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.707756547.0000000005061000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1182632481.0000000004041000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.707068961.0000000004611000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1183963259.0000000004FC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1182978505.00000000047C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.707620059.0000000004E01000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.707581803.0000000004DD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1183573378.0000000004CC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.707389836.0000000004C10000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1183810438.0000000004EC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1183445171.0000000004B50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.673451267.0000000004E31000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.668518477.0000000000950000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1182189542.0000000002491000.00000020.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.669060982.0000000000E31000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.672752369.0000000002B30000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1183605393.0000000004CF1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.706952271.00000000044E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1182513968.0000000003F10000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.665871488.00000000031A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1184046828.0000000005020000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1182867588.00000000046E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.673000186.0000000004571000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1184090856.0000000005051000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1183271140.0000000004A40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.673283012.0000000004B90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.673604442.0000000004FF1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.707509092.0000000004D70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.673557883.0000000004FC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1182155404.0000000002460000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1183059025.00000000048F0000.00000040.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: aoPHg7b78c.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Gmpumh\aylxdwzwghrxhxt.vai:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Gmpumh\Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100200112_2_10020011
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100181CA2_2_100181CA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001929D2_2_1001929D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002542D2_2_1002542D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100274AE2_2_100274AE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100265752_2_10026575
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001869D2_2_1001869D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100168602_2_10016860
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100118C02_2_100118C0
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100119162_2_10011916
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002596F2_2_1002596F
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10022A5C2_2_10022A5C
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10018A712_2_10018A71
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001AAB72_2_1001AAB7
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001CB162_2_1001CB16
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10018E7D2_2_10018E7D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10025EB12_2_10025EB1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100200113_2_10020011
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100181CA3_2_100181CA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001929D3_2_1001929D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002542D3_2_1002542D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100274AE3_2_100274AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100265753_2_10026575
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001869D3_2_1001869D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001178A3_2_1001178A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100168603_2_10016860
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002596F3_2_1002596F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10022A5C3_2_10022A5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10018A713_2_10018A71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001AAB73_2_1001AAB7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001CB163_2_1001CB16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10018E7D3_2_10018E7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10025EB13_2_10025EB1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001178A4_2_1001178A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0462654A4_2_0462654A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0462AD084_2_0462AD08
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046285FF4_2_046285FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0461C5D84_2_0461C5D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0461DE744_2_0461DE74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046186364_2_04618636
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0462FF584_2_0462FF58
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0461670B4_2_0461670B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0462EFDD4_2_0462EFDD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046317BD4_2_046317BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046320094_2_04632009
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046221424_2_04622142
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0462E9554_2_0462E955
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04624A664_2_04624A66
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0462B2574_2_0462B257
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04627A0F4_2_04627A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0462DC714_2_0462DC71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0462A4744_2_0462A474
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046174424_2_04617442
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0461A4454_2_0461A445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046134314_2_04613431
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0462E4E54_2_0462E4E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0462CCD94_2_0462CCD9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04611CA14_2_04611CA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04632D534_2_04632D53
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04627D5B4_2_04627D5B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04628D3D4_2_04628D3D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046255154_2_04625515
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04629DF54_2_04629DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046155FF4_2_046155FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0462C5D54_2_0462C5D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04623D854_2_04623D85
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04617E794_2_04617E79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0462567B4_2_0462567B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0461E6404_2_0461E640
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04622E5D4_2_04622E5D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04633EE94_2_04633EE9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0462BEFD4_2_0462BEFD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04623EAA4_2_04623EAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046336AA4_2_046336AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0461C6B84_2_0461C6B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04620EBC4_2_04620EBC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046346BD4_2_046346BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04624F744_2_04624F74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046297744_2_04629774
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046257794_2_04625779
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04611F384_2_04611F38
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0461EF0C4_2_0461EF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046267E64_2_046267E6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046207F44_2_046207F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046227F94_2_046227F9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0461E7DE4_2_0461E7DE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046177A34_2_046177A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046307AA4_2_046307AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04628FAE4_2_04628FAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046157B84_2_046157B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0461BFBE4_2_0461BFBE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04620F864_2_04620F86
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0461A8714_2_0461A871
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046170784_2_04617078
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0462F8404_2_0462F840
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0461B8204_2_0461B820
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046288064_2_04628806
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0461F0E94_2_0461F0E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046300EF4_2_046300EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046180C04_2_046180C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0462D8DB4_2_0462D8DB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0462017B4_2_0462017B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0461D14C4_2_0461D14C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0462E1F84_2_0462E1F8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0462D1BC4_2_0462D1BC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046261874_2_04626187
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046121944_2_04612194
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046332634_2_04633263
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04630A644_2_04630A64
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046242444_2_04624244
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04629A014_2_04629A01
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0462CAD54_2_0462CAD5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0462A2A54_2_0462A2A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0461BAA94_2_0461BAA9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04620ABA4_2_04620ABA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0461F3694_2_0461F369
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0462437A4_2_0462437A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04616B7A4_2_04616B7A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046253334_2_04625333
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04632B094_2_04632B09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04614BFC4_2_04614BFC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0462FBDE4_2_0462FBDE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0461238C4_2_0461238C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0461FB8E4_2_0461FB8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0457A4456_2_0457A445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0457DE746_2_0457DE74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04584A666_2_04584A66
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045920096_2_04592009
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04587A0F6_2_04587A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045786366_2_04578636
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458FF586_2_0458FF58
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458654A6_2_0458654A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045821426_2_04582142
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458AD086_2_0458AD08
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0457670B6_2_0457670B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458EFDD6_2_0458EFDD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0457C5D86_2_0457C5D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04582E5D6_2_04582E5D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458B2576_2_0458B257
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045774426_2_04577442
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0457E6406_2_0457E640
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458F8406_2_0458F840
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045842446_2_04584244
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458567B6_2_0458567B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0457A8716_2_0457A871
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458DC716_2_0458DC71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458A4746_2_0458A474
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04577E796_2_04577E79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045770786_2_04577078
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045932636_2_04593263
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04590A646_2_04590A64
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04589A016_2_04589A01
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045888066_2_04588806
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045734316_2_04573431
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0457B8206_2_0457B820
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458CCD96_2_0458CCD9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458D8DB6_2_0458D8DB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458CAD56_2_0458CAD5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045780C06_2_045780C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458BEFD6_2_0458BEFD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04593EE96_2_04593EE9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045900EF6_2_045900EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458E4E56_2_0458E4E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0457F0E96_2_0457F0E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04580ABA6_2_04580ABA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045946BD6_2_045946BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04580EBC6_2_04580EBC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0457C6B86_2_0457C6B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04583EAA6_2_04583EAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045936AA6_2_045936AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04571CA16_2_04571CA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458A2A56_2_0458A2A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0457BAA96_2_0457BAA9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04587D5B6_2_04587D5B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04592D536_2_04592D53
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458E9556_2_0458E955
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0457D14C6_2_0457D14C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045857796_2_04585779
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458437A6_2_0458437A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458017B6_2_0458017B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04584F746_2_04584F74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045897746_2_04589774
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04576B7A6_2_04576B7A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0457F3696_2_0457F369
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045855156_2_04585515
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04592B096_2_04592B09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0457EF0C6_2_0457EF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04588D3D6_2_04588D3D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045853336_2_04585333
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04571F386_2_04571F38
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458FBDE6_2_0458FBDE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0457E7DE6_2_0457E7DE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458C5D56_2_0458C5D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0458E1F86_2_0458E1F8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045827F96_2_045827F9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045885FF6_2_045885FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_045755FF6_2_045755FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04574BFC6_2_04574BFC
                      Source: C:\Windows\SysWOW64\