Loading ...

Play interactive tourEdit tour

Windows Analysis Report 7MhGa3iotM

Overview

General Information

Sample Name:7MhGa3iotM (renamed file extension from none to dll)
Analysis ID:553129
MD5:752a2613b2b71fc1b99eb611024cc312
SHA1:7d59cf93d7b7644119b4f2b3742a40f9960c7ca5
SHA256:2df1bd696a635b1dd0c2aec6a20b12148ccc17023be88a6fa1701896a99e2db0
Tags:32dllexetrojan
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • SgrmBroker.exe (PID: 7124 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 7152 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • loaddll32.exe (PID: 6180 cmdline: loaddll32.exe "C:\Users\user\Desktop\7MhGa3iotM.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 1496 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\7MhGa3iotM.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5732 cmdline: rundll32.exe "C:\Users\user\Desktop\7MhGa3iotM.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 3360 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\7MhGa3iotM.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 3348 cmdline: regsvr32.exe /s C:\Users\user\Desktop\7MhGa3iotM.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • rundll32.exe (PID: 5388 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\7MhGa3iotM.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6388 cmdline: rundll32.exe C:\Users\user\Desktop\7MhGa3iotM.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 2172 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kgiezrb\edgitxrppqaf.tym",JFlwYpDQ MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6512 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kgiezrb\edgitxrppqaf.tym",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 5808 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 6456 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 3396 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6640 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1496 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1460 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.298606993.00000000056B0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000005.00000002.294428773.0000000004E31000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      0000000D.00000002.815959143.0000000004E91000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000008.00000002.298670924.00000000056E1000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          0000000D.00000002.816961696.00000000050F1000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 43 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            13.2.rundll32.exe.53a0000.18.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              13.2.rundll32.exe.4ec0000.10.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                8.2.rundll32.exe.54f0000.6.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  13.2.rundll32.exe.2d50000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    13.2.rundll32.exe.4ef0000.11.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 67 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\7MhGa3iotM.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\7MhGa3iotM.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\7MhGa3iotM.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1496, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\7MhGa3iotM.dll",#1, ProcessId: 5732

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 13.2.rundll32.exe.4fa0000.12.raw.unpackMalware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 7MhGa3iotM.dllVirustotal: Detection: 29%Perma Link
                      Source: 7MhGa3iotM.dllReversingLabs: Detection: 41%
                      Machine Learning detection for sampleShow sources
                      Source: 7MhGa3iotM.dllJoe Sandbox ML: detected
                      Source: 7MhGa3iotM.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.3:49746 -> 45.138.98.34:80
                      Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.3:49747 -> 69.16.218.101:8080
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.16.218.101 144Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.138.98.34 80Jump to behavior
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 45.138.98.34:80
                      Source: Malware configuration extractorIPs: 69.16.218.101:8080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.168.220:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 104.131.62.48:8080
                      Source: Malware configuration extractorIPs: 62.171.178.147:8080
                      Source: Malware configuration extractorIPs: 217.182.143.207:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 210.57.209.142:8080
                      Source: Malware configuration extractorIPs: 159.69.237.188:443
                      Source: Malware configuration extractorIPs: 116.124.128.206:8080
                      Source: Malware configuration extractorIPs: 128.199.192.135:8080
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Malware configuration extractorIPs: 185.148.168.15:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 190.90.233.66:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 104.131.62.48 104.131.62.48
                      Source: global trafficTCP traffic: 192.168.2.3:49747 -> 69.16.218.101:8080
                      Source: unknownNetwork traffic detected: IP country count 12
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: svchost.exe, 00000014.00000003.394252617.000001B9FBF8C000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000014.00000003.394252617.000001B9FBF8C000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000014.00000003.394269231.000001B9FBF9D000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.394252617.000001B9FBF8C000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000014.00000003.394269231.000001B9FBF9D000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.394252617.000001B9FBF8C000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000014.00000003.394252617.000001B9FBF8C000.00000004.00000001.sdmpString found in binary or memory: rings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"level
                      Source: svchost.exe, 00000014.00000003.394252617.000001B9FBF8C000.00000004.00000001.sdmpString found in binary or memory: rings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"level
                      Source: svchost.exe, 00000014.00000002.409679137.000001B9FB6E9000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000014.00000002.409679137.000001B9FB6E9000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: rundll32.exe, 0000000D.00000003.326561339.0000000005262000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
                      Source: rundll32.exe, 0000000D.00000003.326561339.0000000005262000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/.1
                      Source: 77EC63BDA74BD0D0E0426DC8F80085060.13.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: svchost.exe, 00000014.00000003.390495752.000001B9FBF7F000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390514239.000001B9FBFC0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390575463.000001B9FBFA0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390534738.000001B9FBFC0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390606876.000001B9FBF5D000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 00000014.00000003.390495752.000001B9FBF7F000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390514239.000001B9FBFC0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390575463.000001B9FBFA0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390534738.000001B9FBFC0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390606876.000001B9FBF5D000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000014.00000003.390495752.000001B9FBF7F000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390514239.000001B9FBFC0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390575463.000001B9FBFA0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390534738.000001B9FBFC0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390606876.000001B9FBF5D000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000014.00000003.390495752.000001B9FBF7F000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390514239.000001B9FBFC0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390575463.000001B9FBFA0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390534738.000001B9FBFC0000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.390606876.000001B9FBF5D000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000014.00000003.391292817.000001B9FBF7B000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.391452171.000001B9FBF7B000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_100012D0 recvfrom,5_2_100012D0
                      Source: loaddll32.exe, 00000002.00000002.294900679.00000000010EB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,5_2_1000FF59
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,6_2_1000FF59

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 13.2.rundll32.exe.53a0000.18.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.4ec0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.54f0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.2d50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.4ef0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5390000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5520000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.4e90000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4ac0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.2990000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.43d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4a90000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5580000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.4fa0000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.5620000.20.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.4c50000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.51a0000.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.4d30000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4d90000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5280000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.56b0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.4fa0000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5280000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5550000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.56b0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.4fd0000.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.2d50000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4af0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.53a0000.18.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.4480000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.4a40000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.3430000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.50f0000.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.4e60000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.53d0000.19.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.52e0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.51a0000.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.5620000.20.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.43c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.4d00000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4af0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.2990000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.50c0000.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5550000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.4a70000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.4480000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.regsvr32.exe.4e00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.3430000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.54f0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.50c0000.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.regsvr32.exe.4e30000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.regsvr32.exe.4e00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.51d0000.17.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.850000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.53c0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4a90000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.4d00000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.4e60000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.4c20000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.45d0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.4c20000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.56e0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.880000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4990000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5390000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.4ec0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.49c0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.4a40000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.850000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4b20000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4990000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.5650000.21.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.298606993.00000000056B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.294428773.0000000004E31000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.815959143.0000000004E91000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.298670924.00000000056E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.816961696.00000000050F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.297938888.00000000052E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.814399683.0000000002D50000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.815700731.0000000004D00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.815587816.0000000004C51000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.817960495.0000000005651000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.298239999.00000000054F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.297817521.0000000004AF0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.297755557.0000000004AC1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.815509685.0000000004C20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.297710814.0000000004A90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.295787483.0000000000850000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.301385832.0000000004A71000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.815776896.0000000004D31000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.817419709.00000000051D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.297893846.0000000005280000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.298028546.0000000005390000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.298441375.0000000005550000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.297464641.0000000003430000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.294757561.00000000043D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.816312049.0000000004FD1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.297638381.00000000049C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.298510030.0000000005581000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.816141431.0000000004EF1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.814627918.00000000043C1000.00000020.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.297863633.0000000004B21000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.816054659.0000000004EC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.814701416.0000000004480000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.294337664.0000000004E00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.297583118.0000000004990000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.816243405.0000000004FA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.301361900.0000000004A40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.297668150.0000000004D91000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.294482062.0000000002990000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.817244449.00000000051A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.298093850.00000000053C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.295818674.0000000000881000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.815880931.0000000004E60000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.817694741.00000000053A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.817922483.0000000005620000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.816664369.00000000050C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.815012363.00000000045D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.817778819.00000000053D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.298383199.0000000005521000.00000020.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: 7MhGa3iotM.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Kgiezrb\edgitxrppqaf.tym:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Kgiezrb\Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_100200115_2_10020011
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_100181CA5_2_100181CA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1001929D5_2_1001929D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1002542D5_2_1002542D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_100274AE5_2_100274AE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_100265755_2_10026575
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1001869D5_2_1001869D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1001178A5_2_1001178A
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_100168605_2_10016860
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1002596F5_2_1002596F
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10022A5C5_2_10022A5C
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10018A715_2_10018A71
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1001AAB75_2_1001AAB7
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1001CB165_2_1001CB16
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10018E7D5_2_10018E7D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10025EB15_2_10025EB1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E485FF5_2_04E485FF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E4EFDD5_2_04E4EFDD
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E4E4E55_2_04E4E4E5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E4CCD95_2_04E4CCD9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E31CA15_2_04E31CA1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E4A4745_2_04E4A474
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E4DC715_2_04E4DC71
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E374425_2_04E37442
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E3A4455_2_04E3A445
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E334315_2_04E33431
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E49DF55_2_04E49DF5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E355FF5_2_04E355FF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E4C5D55_2_04E4C5D5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E3C5D85_2_04E3C5D8
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E43D855_2_04E43D85
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E4654A5_2_04E4654A
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E52D535_2_04E52D53
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E47D5B5_2_04E47D5B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E48D3D5_2_04E48D3D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E4AD085_2_04E4AD08
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E455155_2_04E45515
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E53EE95_2_04E53EE9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E4BEFD5_2_04E4BEFD
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E43EAA5_2_04E43EAA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E536AA5_2_04E536AA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E40EBC5_2_04E40EBC
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E546BD5_2_04E546BD
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E3C6B85_2_04E3C6B8
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E3DE745_2_04E3DE74
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E37E795_2_04E37E79
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E4567B5_2_04E4567B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E3E6405_2_04E3E640
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E42E5D5_2_04E42E5D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E386365_2_04E38636
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E467E65_2_04E467E6
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E3E7DE5_2_04E3E7DE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E377A35_2_04E377A3
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E48FAE5_2_04E48FAE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E507AA5_2_04E507AA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E517BD5_2_04E517BD
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E357B85_2_04E357B8
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E3BFBE5_2_04E3BFBE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E40F865_2_04E40F86
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E44F745_2_04E44F74
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E497745_2_04E49774
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E457795_2_04E45779
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E4FF585_2_04E4FF58
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E31F385_2_04E31F38
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E3670B5_2_04E3670B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E3EF0C5_2_04E3EF0C
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E3F0E95_2_04E3F0E9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04E500EF