Loading ...

Play interactive tourEdit tour

Windows Analysis Report nIQCsrVbbw

Overview

General Information

Sample Name:nIQCsrVbbw (renamed file extension from none to dll)
Analysis ID:553359
MD5:06b75d254c6844f78c7d7eefa5b1243e
SHA1:af4b4dccf317dbeeab97868a9514a7c9e496c8d3
SHA256:b0e46325319e75a2490a73045a60030961851c07d266df73d7e048799e133ec7
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6748 cmdline: loaddll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6764 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6784 cmdline: rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 2484 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 6772 cmdline: regsvr32.exe /s C:\Users\user\Desktop\nIQCsrVbbw.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • rundll32.exe (PID: 6844 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6816 cmdline: rundll32.exe C:\Users\user\Desktop\nIQCsrVbbw.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 4872 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Uibizbzyxusffon\lvdcgmwj.xbl",PtnVsXFQteN MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6012 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Uibizbzyxusffon\lvdcgmwj.xbl",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 6632 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6748 -s 512 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 7056 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2920 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1768 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 3876 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6748 -ip 6748 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6636 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6980 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7080 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2064 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.361373048.0000000000881000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    0000000C.00000002.369867351.0000000005381000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000002.00000002.306596758.0000000003330000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000000.00000000.376038820.0000000000D51000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          0000000C.00000002.369320365.00000000051C1000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 27 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.rundll32.exe.4860000.8.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              5.2.rundll32.exe.1140000.2.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                2.2.regsvr32.exe.3330000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  12.2.rundll32.exe.5380000.9.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    12.2.rundll32.exe.51c0000.5.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 44 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6764, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1, ProcessId: 6784

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.loaddll32.exe.d00000.0.raw.unpackMalware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: nIQCsrVbbw.dllVirustotal: Detection: 15%Perma Link
                      Source: nIQCsrVbbw.dllReversingLabs: Detection: 16%
                      Source: nIQCsrVbbw.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 00000011.00000003.387753281.00000000053F2000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387809542.00000000053F5000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.383845627.00000000035D4000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.383476749.0000000005098000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.387753281.00000000053F2000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.394941169.0000000000EF2000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.383589686.00000000035DA000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdbk source: WerFault.exe, 00000011.00000003.387753281.00000000053F2000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb= source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdbk source: WerFault.exe, 00000011.00000003.387753281.00000000053F2000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387809542.00000000053F5000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.3:49743 -> 45.138.98.34:80
                      Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.3:49744 -> 69.16.218.101:8080
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.16.218.101 144Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.138.98.34 80Jump to behavior
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 45.138.98.34:80
                      Source: Malware configuration extractorIPs: 69.16.218.101:8080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.168.220:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 104.131.62.48:8080
                      Source: Malware configuration extractorIPs: 62.171.178.147:8080
                      Source: Malware configuration extractorIPs: 217.182.143.207:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 210.57.209.142:8080
                      Source: Malware configuration extractorIPs: 159.69.237.188:443
                      Source: Malware configuration extractorIPs: 116.124.128.206:8080
                      Source: Malware configuration extractorIPs: 128.199.192.135:8080
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Malware configuration extractorIPs: 185.148.168.15:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 190.90.233.66:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 104.131.62.48 104.131.62.48
                      Source: global trafficTCP traffic: 192.168.2.3:49744 -> 69.16.218.101:8080
                      Source: unknownNetwork traffic detected: IP country count 12
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: svchost.exe, 00000017.00000003.472098316.000001D8FAB5C000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000017.00000003.472098316.000001D8FAB5C000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000017.00000003.472067286.000001D8FAB99000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.472098316.000001D8FAB5C000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000017.00000003.472067286.000001D8FAB99000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.472098316.000001D8FAB5C000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000017.00000002.488230673.000001D8FAB00000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.827577818.0000023AC8E89000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 0000001B.00000002.827577818.0000023AC8E89000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: 77EC63BDA74BD0D0E0426DC8F80085060.14.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: rundll32.exe, 0000000E.00000003.438068118.00000000006E2000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.436839850.0000000004F9C000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f94ba70d714c2
                      Source: svchost.exe, 00000017.00000003.464564991.000001D8FAB6A000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: Amcache.hve.17.drString found in binary or memory: http://upx.sf.net
                      Source: svchost.exe, 00000017.00000003.464564991.000001D8FAB6A000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000017.00000003.464564991.000001D8FAB6A000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000017.00000003.464564991.000001D8FAB6A000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000017.00000003.465928142.000001D8FAB90000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10001280 recvfrom,2_2_10001280
                      Source: loaddll32.exe, 00000000.00000000.379244317.00000000006FB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,2_2_10027958
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,3_2_10027958
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,12_2_10027958

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 5.2.rundll32.exe.4860000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1140000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.3330000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5380000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.51c0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1270000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5320000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.11d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d50000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1190000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.12a0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1190000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5090000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d50000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1270000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.3410000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1140000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5060000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1170000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.56c0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5350000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5350000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1390000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.52f0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d00000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.560000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5190000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.7c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.52f0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.3330000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4830000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.560000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d00000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.4b70000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1390000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4860000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.11d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.7c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.4c90000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.bc0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.880000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5060000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.5190000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.56c0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.56f0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.361373048.0000000000881000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.369867351.0000000005381000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.306596758.0000000003330000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.376038820.0000000000D51000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.369320365.00000000051C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.370265294.00000000056C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.359468675.00000000007C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.368368956.0000000004831000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.369446130.00000000052F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.368922473.0000000004B71000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.367128450.0000000000560000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.367810302.0000000001270000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.367757114.0000000001171000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.370663067.0000000001190000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.369147966.0000000005060000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.368438775.0000000004860000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.306669964.0000000003411000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.370426063.00000000056F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.369281669.0000000005190000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.367845396.00000000012A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.367713608.0000000001140000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.379371136.0000000000D51000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.376060277.0000000004C91000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.369637751.0000000005350000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.397131962.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.367919454.0000000001390000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.367465277.0000000000BC1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.368222308.00000000011D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.376003738.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.379329782.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.369552219.0000000005321000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.369203622.0000000005091000.00000020.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: nIQCsrVbbw.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6748 -ip 6748
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Uibizbzyxusffon\lvdcgmwj.xbl:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Uibizbzyxusffon\Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100291F62_2_100291F6
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002F3782_2_1002F378
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100403D72_2_100403D7
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1004250B2_2_1004250B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100415572_2_10041557
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100395A12_2_100395A1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002F7842_2_1002F784
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1004091B2_2_1004091B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002EACF2_2_1002EACF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002FBA42_2_1002FBA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100291F63_2_100291F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002F3783_2_1002F378
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100403D73_2_100403D7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1004250B3_2_1004250B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100415573_2_10041557
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100395A13_2_100395A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002F7843_2_1002F784
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1004091B3_2_1004091B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002EACF3_2_1002EACF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002FBA43_2_1002FBA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10035D963_2_10035D96
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10040E5F3_2_10040E5F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002EFA43_2_1002EFA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC86365_2_00BC8636
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD7A0F5_2_00BD7A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BE20095_2_00BE2009
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BCDE745_2_00BCDE74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD4A665_2_00BD4A66
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDB2575_2_00BDB257
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BCA4455_2_00BCA445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BE17BD5_2_00BE17BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD85FF5_2_00BD85FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDEFDD5_2_00BDEFDD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BCC5D85_2_00BCC5D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDAD085_2_00BDAD08
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC670B5_2_00BC670B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDFF585_2_00BDFF58
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDE9555_2_00BDE955
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD654A5_2_00BD654A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD21425_2_00BD2142
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD0EBC5_2_00BD0EBC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BE46BD5_2_00BE46BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BCC6B85_2_00BCC6B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD0ABA5_2_00BD0ABA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BE36AA5_2_00BE36AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BCBAA95_2_00BCBAA9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD3EAA5_2_00BD3EAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDA2A55_2_00BDA2A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC1CA15_2_00BC1CA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDBEFD5_2_00BDBEFD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BE00EF5_2_00BE00EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BCF0E95_2_00BCF0E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BE3EE95_2_00BE3EE9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDE4E55_2_00BDE4E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDCCD95_2_00BDCCD9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDD8DB5_2_00BDD8DB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDCAD55_2_00BDCAD5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC80C05_2_00BC80C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC34315_2_00BC3431
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BCB8205_2_00BCB820
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD88065_2_00BD8806
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD9A015_2_00BD9A01
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC70785_2_00BC7078
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC7E795_2_00BC7E79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD567B5_2_00BD567B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDA4745_2_00BDA474
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDDC715_2_00BDDC71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BCA8715_2_00BCA871
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BE0A645_2_00BE0A64
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BE32635_2_00BE3263
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD2E5D5_2_00BD2E5D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD42445_2_00BD4244
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BCE6405_2_00BCE640
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDF8405_2_00BDF840
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC74425_2_00BC7442
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDD1BC5_2_00BDD1BC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BCBFBE5_2_00BCBFBE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC57B85_2_00BC57B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD8FAE5_2_00BD8FAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BE07AA5_2_00BE07AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC77A35_2_00BC77A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC21945_2_00BC2194
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC238C5_2_00BC238C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BCFB8E5_2_00BCFB8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD3D855_2_00BD3D85
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD61875_2_00BD6187
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD0F865_2_00BD0F86
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC4BFC5_2_00BC4BFC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC55FF5_2_00BC55FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD27F95_2_00BD27F9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDE1F85_2_00BDE1F8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD9DF55_2_00BD9DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD07F45_2_00BD07F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD67E65_2_00BD67E6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BCE7DE5_2_00BCE7DE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDFBDE5_2_00BDFBDE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BDC5D55_2_00BDC5D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD8D3D5_2_00BD8D3D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC1F385_2_00BC1F38
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD53335_2_00BD5333
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD55155_2_00BD5515
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BCEF0C5_2_00BCEF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BE2B095_2_00BE2B09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD57795_2_00BD5779
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BC6B7A5_2_00BC6B7A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD017B5_2_00BD017B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD437A5_2_00BD437A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD4F745_2_00BD4F74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD97745_2_00BD9774
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BCF3695_2_00BCF369
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BD7D5B5_2_00BD7D5B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BE2D535_2_00BE2D53
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00BCD14C5_2_00BCD14C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_100291F612_2_100291F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1002F37812_2_1002F378
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_100403D712_2_100403D7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1004250B12_2_1004250B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1004155712_2_10041557
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_100395A112_2_100395A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1002F78412_2_1002F784
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1004091B12_2_1004091B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1002EACF12_2_1002EACF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1002FBA412_2_1002FBA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10035D9612_2_10035D96
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10040E5F12_2_10040E5F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1002EFA412_2_1002EFA4
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 10030E38 appears 49 times
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 10030535 appears 76 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030E38 appears 116 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 1003578B appears 46 times
                      Source: C:\Windows\SysWOW64\