Loading ...

Play interactive tourEdit tour

Windows Analysis Report 8ozP45Xn3V

Overview

General Information

Sample Name:8ozP45Xn3V (renamed file extension from none to dll)
Analysis ID:553116
MD5:5b1f5dfeb1d63dfad1961f11a1d13ccd
SHA1:140fae6f1e530e994b73b5ccf3d8343aa2c3e94b
SHA256:408e24e34e423d0ee843ee6b153b804765896348e8a046d9aae7b899b3194fb8
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Machine Learning detection for sample
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5716 cmdline: loaddll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 5584 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6036 cmdline: rundll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6180 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 6048 cmdline: regsvr32.exe /s C:\Users\user\Desktop\8ozP45Xn3V.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • rundll32.exe (PID: 5824 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 3864 cmdline: rundll32.exe C:\Users\user\Desktop\8ozP45Xn3V.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 7024 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Awmbc\hyrvgwa.iff",ywJlCo MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6920 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Awmbc\hyrvgwa.iff",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 2860 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5048 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5772 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6520 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6476 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.678801674.0000000004EA1000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000008.00000002.1193813171.0000000000AD1000.00000020.00000010.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000008.00000002.1196243909.0000000004FD0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000004.00000002.683302750.0000000004581000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000008.00000002.1196558056.00000000051D0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 45 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.rundll32.exe.ad0000.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              8.2.rundll32.exe.4fd0000.12.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                8.2.rundll32.exe.5530000.22.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  6.2.rundll32.exe.e80000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    8.2.rundll32.exe.4f20000.11.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 70 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5584, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\8ozP45Xn3V.dll",#1, ProcessId: 6036

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 8.2.rundll32.exe.5500000.21.unpackMalware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 8ozP45Xn3V.dllVirustotal: Detection: 26%Perma Link
                      Source: 8ozP45Xn3V.dllReversingLabs: Detection: 30%
                      Antivirus detection for URL or domainShow sources
                      Source: https://45.138.98.34/tCAvira URL Cloud: Label: malware
                      Source: https://45.138.98.34:80/kTrIpBlTHDTtgSQyGuAvira URL Cloud: Label: malware
                      Source: https://45.138.98.34:80/kTrIpBlTHDTtgSQyGAvira URL Cloud: Label: malware
                      Source: https://45.138.98.34/BCFAvira URL Cloud: Label: malware
                      Machine Learning detection for sampleShow sources
                      Source: 8ozP45Xn3V.dllJoe Sandbox ML: detected
                      Source: 8ozP45Xn3V.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.4:49809 -> 45.138.98.34:80
                      Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.4:49810 -> 69.16.218.101:8080
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.16.218.101 144Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.138.98.34 80Jump to behavior
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 45.138.98.34:80
                      Source: Malware configuration extractorIPs: 69.16.218.101:8080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.168.220:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 104.131.62.48:8080
                      Source: Malware configuration extractorIPs: 62.171.178.147:8080
                      Source: Malware configuration extractorIPs: 217.182.143.207:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 210.57.209.142:8080
                      Source: Malware configuration extractorIPs: 159.69.237.188:443
                      Source: Malware configuration extractorIPs: 116.124.128.206:8080
                      Source: Malware configuration extractorIPs: 128.199.192.135:8080
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Malware configuration extractorIPs: 185.148.168.15:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 190.90.233.66:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 104.131.62.48 104.131.62.48
                      Source: global trafficTCP traffic: 192.168.2.4:49810 -> 69.16.218.101:8080
                      Source: unknownNetwork traffic detected: IP country count 12
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: svchost.exe, 00000017.00000002.1194981678.000002C9BAC34000.00000004.00000001.sdmpString found in binary or memory: http://Passport.NET/tbpose
                      Source: rundll32.exe, 00000008.00000002.1194344146.0000000000E29000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.724792772.0000000000E29000.00000004.00000001.sdmp, svchost.exe, 00000014.00000002.834438299.000002AF41B00000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194368719.000002C9B9ED6000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000017.00000002.1194368719.000002C9B9ED6000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: rundll32.exe, 00000008.00000002.1194344146.0000000000E29000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.724792772.0000000000E29000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                      Source: rundll32.exe, 00000008.00000003.724792772.0000000000E29000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.8.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: rundll32.exe, 00000008.00000003.722034838.000000000526D000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?8aa9079227d7d
                      Source: svchost.exe, 00000017.00000002.1193992900.000002C9B9E2A000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                      Source: svchost.exe, 00000017.00000002.1194580462.000002C9BA700000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdUSMiY0
                      Source: svchost.exe, 00000017.00000003.1166171131.000002C9BA75E000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1166149860.000002C9BA75A000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdxmlns:
                      Source: svchost.exe, 00000017.00000002.1193992900.000002C9B9E2A000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                      Source: svchost.exe, 00000017.00000002.1194580462.000002C9BA700000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd5KSBq
                      Source: svchost.exe, 00000017.00000003.1166171131.000002C9BA75E000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1166149860.000002C9BA75A000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdst=
                      Source: svchost.exe, 00000017.00000003.1166081062.000002C9BA729000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-tok
                      Source: svchost.exe, 00000014.00000003.808230171.000002AF41B8E000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808218416.000002AF41B7D000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808191366.000002AF41BC0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808173476.000002AF41BBF000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808255276.000002AF41BDE000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.810750105.000002AF41B5B000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 00000017.00000002.1194171773.000002C9B9E7B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmpString found in binary or memory: http://passport.net/tb
                      Source: svchost.exe, 00000017.00000003.1166288410.000002C9BA70F000.00000004.00000001.sdmpString found in binary or memory: http://schemas.mi
                      Source: svchost.exe, 00000017.00000002.1194692154.000002C9BA737000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: svchost.exe, 00000017.00000002.1193992900.000002C9B9E2A000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
                      Source: svchost.exe, 00000017.00000002.1194692154.000002C9BA737000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194638282.000002C9BA713000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194770983.000002C9BA768000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                      Source: svchost.exe, 00000017.00000002.1194692154.000002C9BA737000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scTw=
                      Source: svchost.exe, 00000017.00000002.1194692154.000002C9BA737000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scicy
                      Source: svchost.exe, 00000017.00000002.1194692154.000002C9BA737000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scsice
                      Source: svchost.exe, 00000017.00000002.1194692154.000002C9BA737000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194770983.000002C9BA768000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                      Source: svchost.exe, 00000017.00000003.1166089900.000002C9BA72F000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                      Source: svchost.exe, 00000017.00000002.1194692154.000002C9BA737000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                      Source: svchost.exe, 00000017.00000002.1194692154.000002C9BA737000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                      Source: svchost.exe, 00000017.00000002.1194638282.000002C9BA713000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustn
                      Source: rundll32.exe, 00000008.00000002.1194259270.0000000000E09000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.724853392.0000000000E09000.00000004.00000001.sdmpString found in binary or memory: https://45.138.98.34/BCF
                      Source: rundll32.exe, 00000008.00000002.1194259270.0000000000E09000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.724853392.0000000000E09000.00000004.00000001.sdmpString found in binary or memory: https://45.138.98.34/tC
                      Source: rundll32.exe, 00000008.00000002.1194259270.0000000000E09000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.724853392.0000000000E09000.00000004.00000001.sdmpString found in binary or memory: https://45.138.98.34:80/kTrIpBlTHDTtgSQyG
                      Source: rundll32.exe, 00000008.00000002.1194144589.0000000000DBA000.00000004.00000020.sdmpString found in binary or memory: https://45.138.98.34:80/kTrIpBlTHDTtgSQyGu
                      Source: rundll32.exe, 00000008.00000002.1194259270.0000000000E09000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.724853392.0000000000E09000.00000004.00000001.sdmpString found in binary or memory: https://69.16.218.101/
                      Source: rundll32.exe, 00000008.00000002.1194259270.0000000000E09000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.724853392.0000000000E09000.00000004.00000001.sdmpString found in binary or memory: https://69.16.218.101/PCH
                      Source: rundll32.exe, 00000008.00000002.1194144589.0000000000DBA000.00000004.00000020.sdmp, rundll32.exe, 00000008.00000003.724853392.0000000000E09000.00000004.00000001.sdmpString found in binary or memory: https://69.16.218.101:8080/mqHphxEnNLNXvTjzpCyiWOKGJsACjqrMZUZsOV
                      Source: rundll32.exe, 00000008.00000002.1194259270.0000000000E09000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.724853392.0000000000E09000.00000004.00000001.sdmpString found in binary or memory: https://69.16.218.101:8080/mqHphxEnNLNXvTjzpCyiWOKGJsACjqrMZUZsOVl
                      Source: svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502ssuer
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
                      Source: svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
                      Source: svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
                      Source: svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164338085.000002C9BA729000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
                      Source: svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600ssuer
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
                      Source: svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
                      Source: svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
                      Source: svchost.exe, 00000017.00000003.1164466007.000002C9BA729000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164570052.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164735346.000002C9BA741000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164338085.000002C9BA729000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164674528.000002C9BA740000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/msangcwam
                      Source: svchost.exe, 00000014.00000003.808230171.000002AF41B8E000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808218416.000002AF41B7D000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808191366.000002AF41BC0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808173476.000002AF41BBF000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808255276.000002AF41BDE000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.810750105.000002AF41B5B000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/
                      Source: svchost.exe, 00000017.00000003.1164466007.000002C9BA729000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164390378.000002C9BA755000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164570052.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164735346.000002C9BA741000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164674528.000002C9BA740000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf
                      Source: svchost.exe, 00000017.00000003.1164539050.000002C9BA70E000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164412004.000002C9BA76B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164766169.000002C9BA76D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
                      Source: svchost.exe, 00000017.00000003.1164539050.000002C9BA70E000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164412004.000002C9BA76B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164552038.000002C9BA70E000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164766169.000002C9BA76D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
                      Source: svchost.exe, 00000017.00000003.1164539050.000002C9BA70E000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164412004.000002C9BA76B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164552038.000002C9BA70E000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164766169.000002C9BA76D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
                      Source: svchost.exe, 00000017.00000003.1164466007.000002C9BA729000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164570052.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164735346.000002C9BA741000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164674528.000002C9BA740000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ListSessions.srf
                      Source: svchost.exe, 00000017.00000003.1164466007.000002C9BA729000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf
                      Source: svchost.exe, 00000017.00000003.1164570052.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164735346.000002C9BA741000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164674528.000002C9BA740000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srfn.srf?
                      Source: svchost.exe, 00000017.00000003.1164570052.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164674528.000002C9BA740000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ManageLog0
                      Source: svchost.exe, 00000017.00000003.1164466007.000002C9BA729000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164390378.000002C9BA755000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srf
                      Source: svchost.exe, 00000017.00000002.1194171773.000002C9B9E7B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164570052.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164735346.000002C9BA741000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194250007.000002C9B9EB6000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194411587.000002C9B9F02000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164674528.000002C9BA740000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/RST2.srf
                      Source: svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/RST2.srfHV
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164570052.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164735346.000002C9BA741000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194411587.000002C9B9F02000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164674528.000002C9BA740000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/didtou.srf
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194692154.000002C9BA737000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/getrealminfo.srf
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194692154.000002C9BA737000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/getuserrealm.srf
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsec
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecientAuth.srf
                      Source: svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/
                      Source: svchost.exe, 00000017.00000003.1164766169.000002C9BA76D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/8
                      Source: svchost.exe, 00000017.00000002.1194411587.000002C9B9F02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/Device
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164412004.000002C9BA76B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194411587.000002C9B9F02000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164766169.000002C9BA76D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
                      Source: svchost.exe, 00000017.00000003.1164766169.000002C9BA76D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassocia8
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164412004.000002C9BA76B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194411587.000002C9B9F02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
                      Source: svchost.exe, 00000017.00000003.1164390378.000002C9BA755000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164570052.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164735346.000002C9BA741000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194411587.000002C9B9F02000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164674528.000002C9BA740000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
                      Source: svchost.exe, 00000017.00000003.1164412004.000002C9BA76B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
                      Source: svchost.exe, 00000017.00000003.1164412004.000002C9BA76B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
                      Source: svchost.exe, 00000017.00000003.1164466007.000002C9BA729000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164390378.000002C9BA755000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164570052.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164735346.000002C9BA741000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164674528.000002C9BA740000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cplive.com
                      Source: svchost.exe, 00000017.00000003.1164412004.000002C9BA76B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164766169.000002C9BA76D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
                      Source: svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164412004.000002C9BA76B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164766169.000002C9BA76D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
                      Source: svchost.exe, 00000017.00000003.1164539050.000002C9BA70E000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164552038.000002C9BA70E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srfq
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
                      Source: svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
                      Source: svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
                      Source: svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164338085.000002C9BA729000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
                      Source: svchost.exe, 00000017.00000003.1164539050.000002C9BA70E000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164412004.000002C9BA76B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164552038.000002C9BA70E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
                      Source: svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
                      Source: svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502Issuer
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
                      Source: svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603Issuer
                      Source: svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
                      Source: svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164338085.000002C9BA729000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
                      Source: svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164338085.000002C9BA729000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
                      Source: svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164338085.000002C9BA729000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
                      Source: svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164338085.000002C9BA729000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
                      Source: svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
                      Source: svchost.exe, 00000017.00000003.1164539050.000002C9BA70E000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164552038.000002C9BA70E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
                      Source: svchost.exe, 00000017.00000003.1164345799.000002C9BA72C000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164338085.000002C9BA729000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164475418.000002C9BA72C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
                      Source: svchost.exe, 00000017.00000003.1164390378.000002C9BA755000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164570052.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164735346.000002C9BA741000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164674528.000002C9BA740000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
                      Source: svchost.exe, 00000017.00000003.1164390378.000002C9BA755000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164570052.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194073407.000002C9B9E5D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164735346.000002C9BA741000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194411587.000002C9B9F02000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164674528.000002C9BA740000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194411587.000002C9B9F02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
                      Source: svchost.exe, 00000017.00000002.1194411587.000002C9B9F02000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srfsuer
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194411587.000002C9B9F02000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164484627.000002C9BA751000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164570052.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164735346.000002C9BA741000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.1194411587.000002C9B9F02000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164674528.000002C9BA740000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/resetpw.srf
                      Source: svchost.exe, 00000017.00000002.1194692154.000002C9BA737000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/resetpw.srf.srf
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164570052.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164735346.000002C9BA741000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164674528.000002C9BA740000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/retention.srf
                      Source: svchost.exe, 00000017.00000002.1194009149.000002C9B9E3D000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164570052.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164493083.000002C9BA73B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164735346.000002C9BA741000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.1164674528.000002C9BA740000.00000004.00000001.sdmpString found in binary or memory: https://signup.live.com/signup.aspx
                      Source: svchost.exe, 00000014.00000003.808230171.000002AF41B8E000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808218416.000002AF41B7D000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808191366.000002AF41BC0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808173476.000002AF41BBF000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808255276.000002AF41BDE000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.810750105.000002AF41B5B000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000014.00000003.808230171.000002AF41B8E000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808218416.000002AF41B7D000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808191366.000002AF41BC0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808173476.000002AF41BBF000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.808255276.000002AF41BDE000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.810750105.000002AF41B5B000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000014.00000003.810766937.000002AF41BD6000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.810797201.000002AF41BD6000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.811421758.000002AF41B95000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.810823224.000002AF41BBF000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.810847190.000002AF42002000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.810750105.000002AF41B5B000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100012D0 recvfrom,2_2_100012D0
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,2_2_1000FF59
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,3_2_1000FF59

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 8.2.rundll32.exe.ad0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4fd0000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5530000.22.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.e80000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4f20000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.3490000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.510000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5500000.21.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4a80000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.3490000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4e90000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.51d0000.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.e80000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4a80000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.50e0000.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.49d0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.51d0000.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4c80000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.bb0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4c10000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.54d0000.20.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4d30000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4a00000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.b30000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4c10000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4d30000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4fd0000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4b80000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4d30000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4dc0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4dc0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5530000.22.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4ab0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4ef0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4bb0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4d00000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.53d0000.18.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4b50000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5400000.19.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.53d0000.18.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4e90000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5560000.23.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4be0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.510000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4580000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.45f0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.50b0000.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5000000.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.790000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4bb0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4550000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4550000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4ec0000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.a00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4c40000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.54d0000.20.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4ef0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.4ea0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4c50000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.790000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.790000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4d00000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.49d0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4be0000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4bb0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4c50000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4580000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5200000.17.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4d60000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4bb0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.bb0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4ef0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.50b0000.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.a00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4b50000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.678801674.0000000004EA1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1193813171.0000000000AD1000.00000020.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196243909.0000000004FD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.683302750.0000000004581000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196558056.00000000051D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196279550.0000000005001000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196152272.0000000004EF0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.681011389.0000000004BE1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196337731.00000000050B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196188150.0000000004F21000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1197175277.0000000005530000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1193980230.0000000000BB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.683437410.0000000004A01000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1195901433.0000000004C81000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.683851852.0000000004BB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196376857.00000000050E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.681810027.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196877858.00000000053D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196081984.0000000004E90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.680753650.0000000004A80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1197104038.0000000005501000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.680819179.0000000004AB1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.683913602.0000000000791000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.683253680.0000000004550000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1197250321.0000000005561000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.681140235.0000000004C41000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1195970114.0000000004D30000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1193635496.0000000000790000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.684072161.0000000004D31000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.681069343.0000000004C10000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.684008424.0000000004D00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196596448.0000000005201000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.683386584.00000000049D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.679189508.0000000004DC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.683941130.0000000004BE1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196982602.0000000005401000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.680200574.0000000000E80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.680952916.0000000004BB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.683690737.0000000004B81000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1195866286.0000000004C50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1195525525.00000000045F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1197067981.00000000054D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.679337426.0000000004EF1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.680607350.0000000004581000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.678402531.0000000003490000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196117652.0000000004EC1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.683812885.0000000000510000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1196009130.0000000004D61000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.681945178.0000000000B31000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.683628620.0000000004B50000.00000040.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: 8ozP45Xn3V.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Awmbc\hyrvgwa.iff:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Awmbc\Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100200112_2_10020011
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100181CA2_2_100181CA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001929D2_2_1001929D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002542D2_2_1002542D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100274AE2_2_100274AE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100265752_2_10026575
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001869D2_2_1001869D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001178A2_2_1001178A
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100168602_2_10016860
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002596F2_2_1002596F
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10022A5C2_2_10022A5C
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10018A712_2_10018A71
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001AAB72_2_1001AAB7
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1001CB162_2_1001CB16
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10018E7D2_2_10018E7D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10025EB12_2_10025EB1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB85FF2_2_04EB85FF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EBEFDD2_2_04EBEFDD
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EBE4E52_2_04EBE4E5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EBCCD92_2_04EBCCD9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EA1CA12_2_04EA1CA1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EBDC712_2_04EBDC71
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EBA4742_2_04EBA474
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EA74422_2_04EA7442
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EAA4452_2_04EAA445
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EA34312_2_04EA3431
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EA55FF2_2_04EA55FF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB9DF52_2_04EB9DF5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EAC5D82_2_04EAC5D8
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EBC5D52_2_04EBC5D5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB3D852_2_04EB3D85
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB654A2_2_04EB654A
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB7D5B2_2_04EB7D5B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EC2D532_2_04EC2D53
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB8D3D2_2_04EB8D3D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EBAD082_2_04EBAD08
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB55152_2_04EB5515
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EC3EE92_2_04EC3EE9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EBBEFD2_2_04EBBEFD
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB3EAA2_2_04EB3EAA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EC36AA2_2_04EC36AA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EC46BD2_2_04EC46BD
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EAC6B82_2_04EAC6B8
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB0EBC2_2_04EB0EBC
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB567B2_2_04EB567B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EA7E792_2_04EA7E79
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EADE742_2_04EADE74
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EAE6402_2_04EAE640
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB2E5D2_2_04EB2E5D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EA86362_2_04EA8636
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB67E62_2_04EB67E6
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB27F92_2_04EB27F9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB07F42_2_04EB07F4
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EAE7DE2_2_04EAE7DE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB8FAE2_2_04EB8FAE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EC07AA2_2_04EC07AA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EA77A32_2_04EA77A3
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EC17BD2_2_04EC17BD
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EA57B82_2_04EA57B8
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EABFBE2_2_04EABFBE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB0F862_2_04EB0F86
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB57792_2_04EB5779
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB4F742_2_04EB4F74
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EB97742_2_04EB9774
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EBFF582_2_04EBFF58
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EA1F382_2_04EA1F38
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EA670B2_2_04EA670B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EAEF0C2_2_04EAEF0C
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EAF0E92_2_04EAF0E9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EC00EF2_2_04EC00EF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EA80C02_2_04EA80C0
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EBD8DB2_2_04EBD8DB
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EA70782_2_04EA7078
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_04EAA8712_2_04EAA871