Loading ...

Play interactive tourEdit tour

Windows Analysis Report IkroV40UrZ

Overview

General Information

Sample Name:IkroV40UrZ (renamed file extension from none to dll)
Analysis ID:528696
MD5:212599483786f352c8ed6cd9d80b5200
SHA1:2eb94160502ad93a12731abeebd2088beff8566d
SHA256:cc38c2fffdb9221d3d579488c424a8d3df4d7bd0f61a9bb7a9f574f86daa788f
Tags:32dllexetrojan
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Program does not show much activity (idle)
IP address seen in connection with other malware
PE file contains an invalid checksum
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Potential key logger detected (key state polling based)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • svchost.exe (PID: 6208 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • loaddll32.exe (PID: 6168 cmdline: loaddll32.exe "C:\Users\user\Desktop\IkroV40UrZ.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 6240 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\IkroV40UrZ.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6232 cmdline: rundll32.exe "C:\Users\user\Desktop\IkroV40UrZ.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6176 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IkroV40UrZ.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5320 cmdline: rundll32.exe C:\Users\user\Desktop\IkroV40UrZ.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6560 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Paztjwaafuum\wtlx.fdn",LTJacfTd MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6744 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Paztjwaafuum\wtlx.fdn",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 2212 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4184 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2568 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6220 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.1181155000.0000000002870000.00000040.00000010.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000003.00000002.665726313.0000000004630000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000004.00000002.664559498.0000000002AB0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000003.00000002.665957806.0000000004B90000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000008.00000002.1182007350.00000000051C0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 13 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.rundll32.exe.4710000.4.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              3.2.rundll32.exe.4c70000.4.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                8.2.rundll32.exe.2d60000.2.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  3.2.rundll32.exe.4c70000.4.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    8.2.rundll32.exe.4f00000.10.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 31 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Emotet RunDLL32 Process CreationShow sources
                      Source: Process startedAuthor: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Paztjwaafuum\wtlx.fdn",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Paztjwaafuum\wtlx.fdn",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Paztjwaafuum\wtlx.fdn",LTJacfTd, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 6560, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Paztjwaafuum\wtlx.fdn",Control_RunDLL, ProcessId: 6744

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 8.2.rundll32.exe.50e0000.14.raw.unpackMalware Configuration Extractor: Emotet {"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: IkroV40UrZ.dllVirustotal: Detection: 22%Perma Link
                      Machine Learning detection for sampleShow sources
                      Source: IkroV40UrZ.dllJoe Sandbox ML: detected
                      Source: IkroV40UrZ.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.4:49753 version: TLS 1.2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100331CA __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,3_2_100331CA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DA1A80 FindFirstFileW,8_2_02DA1A80

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.4:49753 -> 51.178.61.60:443
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 51.178.61.60 187Jump to behavior
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 51.178.61.60:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 45.79.33.48:8080
                      Source: Malware configuration extractorIPs: 196.44.98.190:8080
                      Source: Malware configuration extractorIPs: 177.72.80.14:7080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.169.10:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: EcobandGH EcobandGH
                      Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: GET /fSauBpzYdxdutXQRhfFWvUQgIeYPAyASpVgdvBITrKg HTTP/1.1Cookie: S=6I/+QFVkcZtEzrIvT3k/4krcj0iik0utDUWBYWFm1M2gATilaTmPlb+FtYPm9vhOKqtO/fCkMWv0ru0nH5uWWukSSKNek4hSSgLUIigWtGu0L5pLKMyPnvsDMIGtSHshg/BMAZugrtxCBFzTPI37mmvxUjNbS+15CuLUIKmvh10CIS1l/qevcU+0nhAGddK2+7497jOsxcsoO1478ofWf4wArlXzjKbRIEPBEaRxell8LCtO0ghSUMednJzxj4jnHost: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 196.44.98.190 196.44.98.190
                      Source: Joe Sandbox ViewIP Address: 78.46.73.125 78.46.73.125
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: svchost.exe, 00000015.00000003.879349402.0000021EFDD8B000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000015.00000003.879349402.0000021EFDD8B000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000015.00000003.879261346.0000021EFDD9E000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.879349402.0000021EFDD8B000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z||.||797d024d-8c74-4faa-b6a6-08435801478b||1152921505694213184||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 00000015.00000003.879261346.0000021EFDD9E000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.879349402.0000021EFDD8B000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z||.||797d024d-8c74-4faa-b6a6-08435801478b||1152921505694213184||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: rundll32.exe, rundll32.exe, 00000003.00000002.666401387.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.665163997.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.668704843.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.1183420472.0000000010056000.00000002.00020000.sdmp, IkroV40UrZ.dllString found in binary or memory: http://www.yahoo.com equals www.yahoo.com (Yahoo)
                      Source: svchost.exe, 00000015.00000002.894285353.0000021EFD4E9000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000015.00000002.894285353.0000021EFD4E9000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 00000015.00000003.871484947.0000021EFDD91000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.871654813.0000021EFDD9B000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: rundll32.exe, rundll32.exe, 00000003.00000002.666401387.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.665163997.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.668704843.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.1183420472.0000000010056000.00000002.00020000.sdmp, IkroV40UrZ.dllString found in binary or memory: http://www.yahoo.com
                      Source: svchost.exe, 00000015.00000003.871484947.0000021EFDD91000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.871654813.0000021EFDD9B000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000015.00000003.871484947.0000021EFDD91000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.871654813.0000021EFDD9B000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000015.00000003.871484947.0000021EFDD91000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.871654813.0000021EFDD9B000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000015.00000003.872778773.0000021EFDD76000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/
                      Source: svchost.exe, 00000015.00000003.872803029.0000021EFE202000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.872736736.0000021EFDD9E000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.872761382.0000021EFDD9E000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.872788484.0000021EFDD87000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.872778773.0000021EFDD76000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB1027 InternetReadFile,8_2_02DB1027
                      Source: global trafficHTTP traffic detected: GET /fSauBpzYdxdutXQRhfFWvUQgIeYPAyASpVgdvBITrKg HTTP/1.1Cookie: S=6I/+QFVkcZtEzrIvT3k/4krcj0iik0utDUWBYWFm1M2gATilaTmPlb+FtYPm9vhOKqtO/fCkMWv0ru0nH5uWWukSSKNek4hSSgLUIigWtGu0L5pLKMyPnvsDMIGtSHshg/BMAZugrtxCBFzTPI37mmvxUjNbS+15CuLUIKmvh10CIS1l/qevcU+0nhAGddK2+7497jOsxcsoO1478ofWf4wArlXzjKbRIEPBEaRxell8LCtO0ghSUMednJzxj4jnHost: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.4:49753 version: TLS 1.2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10023471 SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,3_2_10023471
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10013EC9 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,3_2_10013EC9

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 8.2.rundll32.exe.4710000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4c70000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2d60000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4c70000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4f00000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4c40000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2870000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.50e0000.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.50d0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.50d0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4fe0000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4750000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4750000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4fe0000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4630000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2870000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.52f0000.18.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2ab0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4b90000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4f70000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.52f0000.18.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.50e0000.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4f10000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.51c0000.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.51c0000.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4f10000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2ab0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2d60000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4b90000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4c40000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4ea0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4f70000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4ea0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4630000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4f00000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4710000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.1181155000.0000000002870000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.665726313.0000000004630000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.664559498.0000000002AB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.665957806.0000000004B90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1182007350.00000000051C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.668227478.0000000004750000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.666321163.00000000050D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.666059201.0000000004C70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.666260679.0000000004F70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1181931898.00000000050E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1181681043.0000000004C40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1181375522.0000000002D60000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.666191269.0000000004F10000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1181870913.0000000004FE0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1181601971.0000000004710000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1182479179.00000000052F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1181760635.0000000004EA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1181809796.0000000004F00000.00000040.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: IkroV40UrZ.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Paztjwaafuum\wtlx.fdn:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Paztjwaafuum\Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10046A463_2_10046A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10010E3B3_2_10010E3B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003FFA23_2_1003FFA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0466441E3_2_0466441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0466F41F3_2_0466F41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0467056A3_2_0467056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046620433_2_04662043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046790BA3_2_046790BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0466A3DF3_2_0466A3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046693843_2_04669384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04664C003_2_04664C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0467ECE33_2_0467ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0467AEEB3_2_0467AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0467DEF43_2_0467DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046638453_2_04663845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046808D13_2_046808D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0467D99A3_2_0467D99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04662A463_2_04662A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0467CAA83_2_0467CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04677BB23_2_04677BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0467E4413_2_0467E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046744AA3_2_046744AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0467748A3_2_0467748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046635023_2_04663502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0466251C3_2_0466251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046655E83_2_046655E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0466C5FE3_2_0466C5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046825C33_2_046825C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0466758F3_2_0466758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046626543_2_04662654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0467D6A73_2_0467D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046806873_2_04680687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0467577E3_2_0467577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0467406E3_2_0467406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0466A0483_2_0466A048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046630F63_2_046630F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0467D0913_2_0467D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0467F14D3_2_0467F14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0466C1583_2_0466C158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0467B1B53_2_0467B1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046811933_2_04681193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0466D2233_2_0466D223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046752203_2_04675220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0466220A3_2_0466220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0466E21C3_2_0466E21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046672833_2_04667283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046633453_2_04663345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046813433_2_04681343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046623093_2_04662309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046803F13_2_046803F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046743B33_2_046743B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0467B3973_2_0467B397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04661C763_2_04661C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0466EC273_2_0466EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04668C093_2_04668C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04671C103_2_04671C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0467CCD43_2_0467CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0466CC8D3_2_0466CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0466AC953_2_0466AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04663C913_2_04663C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0467AC9B3_2_0467AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0467FD103_2_0467FD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04679DA13_2_04679DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04674D8D3_2_04674D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0466FD913_2_0466FD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04669E223_2_04669E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0467BEC93_2_0467BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04677ED13_2_04677ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0466FEA03_2_0466FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04674E8A3_2_04674E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04671F6B3_2_04671F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04663F5C3_2_04663F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0467BFE83_2_0467BFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04666FC43_2_04666FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04672FA23_2_04672FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0466BFB63_2_0466BFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04664F8E3_2_04664F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0467F83F3_2_0467F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0467A8F03_2_0467A8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046778A53_2_046778A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046798BD3_2_046798BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0468292B3_2_0468292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046659233_2_04665923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04669A573_2_04669A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04681A3C3_2_04681A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04661A0A3_2_04661A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04670ADE3_2_04670ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0466DAAE3_2_0466DAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04665AB23_2_04665AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04666B253_2_04666B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04680B343_2_04680B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04674BAA3_2_04674BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047A441E7_2_047A441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047BCAA87_2_047BCAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047B43B37_2_047B43B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047A1C767_2_047A1C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047B406E7_2_047B406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047A9A577_2_047A9A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047A26547_2_047A2654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047AA0487_2_047AA048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047A20437_2_047A2043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047BE4417_2_047BE441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047A2A467_2_047A2A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047A38457_2_047A3845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047C1A3C7_2_047C1A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047BF83F7_2_047BF83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047A9E227_2_047A9E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047AD2237_2_047AD223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047B52207_2_047B5220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047AEC277_2_047AEC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047AF41F7_2_047AF41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047AE21C7_2_047AE21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047B1C107_2_047B1C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047A1A0A7_2_047A1A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047A220A7_2_047A220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047A8C097_2_047A8C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047A4C007_2_047A4C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047BA8F07_2_047BA8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047A30F67_2_047A30F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047BDEF47_2_047BDEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047BAEEB7_2_047BAEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047BECE37_2_047BECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047B0ADE7_2_047B0ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047B7ED17_2_047B7ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047C08D17_2_047C08D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047BCCD47_2_047BCCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047BBEC97_2_047BBEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047B90BA7_2_047B90BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047B98BD7_2_047B98BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047A5AB27_2_047A5AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047B44AA7_2_047B44AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047ADAAE7_2_047ADAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047AFEA07_2_047AFEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047BD6A77_2_047BD6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047B78A57_2_047B78A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047BAC9B7_2_047BAC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047BD0917_2_047BD091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047A3C917_2_047A3C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047AAC957_2_047AAC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047B4E8A7_2_047B4E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047B748A7_2_047B748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047ACC8D7_2_047ACC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047A72837_2_047A7283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047C06877_2_047C0687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047B577E7_2_047B577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047B1F6B7_2_047B1F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047B056A7_2_047B056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047AC1587_2_047AC158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047A3F5C7_2_047A3F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047BF14D7_2_047BF14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047A33457_2_047A3345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047C13437_2_047C1343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047C0B347_2_047C0B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047C292B7_2_047C292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047A59237_2_047A5923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047A6B257_2_047A6B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047A251C7_2_047A251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047BFD107_2_047BFD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047A23097_2_047A2309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047A35027_2_047A3502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047AC5FE7_2_047AC5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047C03F17_2_047C03F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047A55E87_2_047A55E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047BBFE87_2_047BBFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047AA3DF7_2_047AA3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047A6FC47_2_047A6FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047C25C37_2_047C25C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047B7BB27_2_047B7BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047ABFB67_2_047ABFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047BB1B57_2_047BB1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047B4BAA7_2_047B4BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047B2FA27_2_047B2FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047B9DA17_2_047B9DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047BD99A7_2_047BD99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047AFD917_2_047AFD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047BB3977_2_047BB397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047C11937_2_047C1193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047A4F8E7_2_047A4F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047A758F7_2_047A758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047B4D8D7_2_047B4D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_047A93847_2_047A9384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB08D18_2_02DB08D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DA7ED18_2_02DA7ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DADEF48_2_02DADEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D930F68_2_02D930F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DAECE38_2_02DAECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D9AC958_2_02D9AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DA748A8_2_02DA748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D95AB28_2_02D95AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DA44AA8_2_02DA44AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DA78A58_2_02DA78A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D920438_2_02D92043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D938458_2_02D93845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D9441E8_2_02D9441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D9220A8_2_02D9220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DAF83F8_2_02DAF83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DA52208_2_02DA5220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D9EC278_2_02D9EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D96FC48_2_02D96FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D9C5FE8_2_02D9C5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D955E88_2_02D955E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D9758F8_2_02D9758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D993848_2_02D99384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D9BFB68_2_02D9BFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DA4BAA8_2_02DA4BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DA2FA28_2_02DA2FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB0B348_2_02DB0B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DA0ADE8_2_02DA0ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DACCD48_2_02DACCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DABEC98_2_02DABEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DAA8F08_2_02DAA8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DAAEEB8_2_02DAAEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DAAC9B8_2_02DAAC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D93C918_2_02D93C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DAD0918_2_02DAD091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DA4E8A8_2_02DA4E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D9CC8D8_2_02D9CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D972838_2_02D97283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB06878_2_02DB0687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DA90BA8_2_02DA90BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DA98BD8_2_02DA98BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DACAA88_2_02DACAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D9DAAE8_2_02D9DAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D9FEA08_2_02D9FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DAD6A78_2_02DAD6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D926548_2_02D92654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D99A578_2_02D99A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D9A0488_2_02D9A048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DAE4418_2_02DAE441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D92A468_2_02D92A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D91C768_2_02D91C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DA406E8_2_02DA406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D9E21C8_2_02D9E21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D9F41F8_2_02D9F41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DA1C108_2_02DA1C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D98C098_2_02D98C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D91A0A8_2_02D91A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D94C008_2_02D94C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB1A3C8_2_02DB1A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D9D2238_2_02D9D223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D99E228_2_02D99E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D9A3DF8_2_02D9A3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB25C38_2_02DB25C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB03F18_2_02DB03F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DABFE88_2_02DABFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DAD99A8_2_02DAD99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D9FD918_2_02D9FD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB11938_2_02DB1193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DAB3978_2_02DAB397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DA4D8D8_2_02DA4D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D94F8E8_2_02D94F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DA7BB28_2_02DA7BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DA43B38_2_02DA43B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DAB1B58_2_02DAB1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DA9DA18_2_02DA9DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D9C1588_2_02D9C158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D93F5C8_2_02D93F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DAF14D8_2_02DAF14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB13438_2_02DB1343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D933458_2_02D93345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DA577E8_2_02DA577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DA056A8_2_02DA056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DA1F6B8_2_02DA1F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D9251C8_2_02D9251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DAFD108_2_02DAFD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D923098_2_02D92309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D935028_2_02D93502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02DB292B8_2_02DB292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D959238_2_02D95923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02D96B258_2_02D96B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10041CAB appears 86 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10041DB8 appears 37 times
                      Source: IkroV40UrZ.dllVirustotal: Detection: 22%
                      Source: IkroV40UrZ.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\IkroV40UrZ.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\IkroV40UrZ.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IkroV40UrZ.dll,Control_RunDLL
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IkroV40UrZ.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IkroV40UrZ.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Paztjwaafuum\wtlx.fdn",LTJacfTd
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: