Loading ...

Play interactive tourEdit tour

Windows Analysis Report 4NBdOVqTyL

Overview

General Information

Sample Name:4NBdOVqTyL (renamed file extension from none to dll)
Analysis ID:553378
MD5:2b23fdac0d28360136a616b2803c286f
SHA1:5e730fa1ccfc04c44a34fd385dadc3d03d72d9b3
SHA256:cd5cb5b1c82dd0f301aac47ab966f00b4abc69a24a6a8c789ee7362a2c128537
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Changes security center settings (notifications, updates, antivirus, firewall)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5652 cmdline: loaddll32.exe "C:\Users\user\Desktop\4NBdOVqTyL.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 4068 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\4NBdOVqTyL.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4140 cmdline: rundll32.exe "C:\Users\user\Desktop\4NBdOVqTyL.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6744 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\4NBdOVqTyL.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 2900 cmdline: regsvr32.exe /s C:\Users\user\Desktop\4NBdOVqTyL.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • rundll32.exe (PID: 3440 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\4NBdOVqTyL.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 2368 cmdline: rundll32.exe C:\Users\user\Desktop\4NBdOVqTyL.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6792 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Qpmpohowskn\yxodzrkk.uat",KEPxusHldvFY MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6996 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Qpmpohowskn\yxodzrkk.uat",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 3440 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5652 -s 524 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 3264 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5056 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 2132 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5652 -ip 5652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 2132 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6200 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6268 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6392 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6520 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6540 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 848 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6848 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4520 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5772 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.295170355.0000000002441000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000005.00000002.319311816.0000000004FE0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000003.00000002.264232474.0000000003450000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000003.00000002.264445003.0000000003601000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000001.00000000.271674594.0000000002441000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 24 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.rundll32.exe.11e0000.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              5.2.rundll32.exe.1190000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                3.2.regsvr32.exe.3450000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  1.2.loaddll32.exe.2410000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    1.0.loaddll32.exe.2410000.3.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 39 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\4NBdOVqTyL.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\4NBdOVqTyL.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\4NBdOVqTyL.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4068, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\4NBdOVqTyL.dll",#1, ProcessId: 4140

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 1.2.loaddll32.exe.2410000.0.raw.unpackMalware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 4NBdOVqTyL.dllVirustotal: Detection: 16%Perma Link
                      Source: 4NBdOVqTyL.dllReversingLabs: Detection: 16%
                      Source: 4NBdOVqTyL.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000A.00000003.279991245.0000000005588000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.279928465.0000000005588000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000A.00000003.279976362.0000000005580000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000A.00000003.279908980.0000000004EC1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000A.00000003.276091697.0000000004BA4000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.279908980.0000000004EC1000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000A.00000003.279991245.0000000005588000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.279928465.0000000005588000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000A.00000003.279919547.0000000005582000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000A.00000003.279991245.0000000005588000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.279928465.0000000005588000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000A.00000003.279908980.0000000004EC1000.00000004.00000001.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000A.00000003.279908980.0000000004EC1000.00000004.00000001.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000A.00000003.279991245.0000000005588000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.279928465.0000000005588000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000A.00000003.279984565.0000000005585000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.279919547.0000000005582000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000A.00000003.279908980.0000000004EC1000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000A.00000003.279984565.0000000005585000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.279919547.0000000005582000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000A.00000003.279991245.0000000005588000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.279928465.0000000005588000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000A.00000003.279908980.0000000004EC1000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000A.00000003.279908980.0000000004EC1000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000A.00000003.279976362.0000000005580000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000A.00000003.279976362.0000000005580000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000A.00000003.279908980.0000000004EC1000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000A.00000003.279976362.0000000005580000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000A.00000003.279991245.0000000005588000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.279928465.0000000005588000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000A.00000003.279908980.0000000004EC1000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000A.00000003.279919547.0000000005582000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000A.00000003.279991245.0000000005588000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.279928465.0000000005588000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000A.00000003.279976362.0000000005580000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000A.00000003.279908980.0000000004EC1000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000A.00000003.279991245.0000000005588000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.279928465.0000000005588000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000A.00000003.279991245.0000000005588000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.279928465.0000000005588000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000A.00000003.279908980.0000000004EC1000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000A.00000003.279908980.0000000004EC1000.00000004.00000001.sdmp
                      Source: Binary string: awnjrznCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000A.00000002.294194625.0000000002B12000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.7:49769 -> 45.138.98.34:80
                      Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.7:49775 -> 69.16.218.101:8080
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.16.218.101 144
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.138.98.34 80
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 45.138.98.34:80
                      Source: Malware configuration extractorIPs: 69.16.218.101:8080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.168.220:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 104.131.62.48:8080
                      Source: Malware configuration extractorIPs: 62.171.178.147:8080
                      Source: Malware configuration extractorIPs: 217.182.143.207:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 210.57.209.142:8080
                      Source: Malware configuration extractorIPs: 159.69.237.188:443
                      Source: Malware configuration extractorIPs: 116.124.128.206:8080
                      Source: Malware configuration extractorIPs: 128.199.192.135:8080
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Malware configuration extractorIPs: 185.148.168.15:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 190.90.233.66:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 104.131.62.48 104.131.62.48
                      Source: global trafficTCP traffic: 192.168.2.7:49775 -> 69.16.218.101:8080
                      Source: unknownNetwork traffic detected: IP country count 12
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: svchost.exe, 0000001F.00000003.445770498.0000020122F92000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
                      Source: svchost.exe, 0000001F.00000003.445770498.0000020122F92000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
                      Source: svchost.exe, 0000001F.00000003.445790114.0000020122FA3000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.445770498.0000020122F92000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 0000001F.00000003.445790114.0000020122FA3000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.445770498.0000020122F92000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 0000001F.00000003.445770498.0000020122F92000.00000004.00000001.sdmpString found in binary or memory: Mstrings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"le
                      Source: svchost.exe, 0000001F.00000003.445770498.0000020122F92000.00000004.00000001.sdmpString found in binary or memory: Mstrings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"le
                      Source: svchost.exe, 00000006.00000002.605909216.000002862B800000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.468338657.0000020122F00000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000006.00000002.606054502.000002862B86F000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.468183652.00000201226F2000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.438323248.00000201226F2000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.438202775.00000201226F2000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.439895742.00000201226F2000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: 77EC63BDA74BD0D0E0426DC8F80085060.21.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: svchost.exe, 0000001F.00000003.438357353.0000020122F65000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.438039962.0000020123403000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.438019016.0000020123402000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.437990261.0000020122F97000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 00000006.00000002.605731158.00000286262B2000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.605257783.00000286262AD000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/0
                      Source: Amcache.hve.10.drString found in binary or memory: http://upx.sf.net
                      Source: svchost.exe, 0000000E.00000002.317874297.0000027DDB213000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 0000000C.00000002.780502610.000001715323D000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 0000000C.00000002.780502610.000001715323D000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 0000000C.00000002.780502610.000001715323D000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 0000000E.00000003.315431600.0000027DDB260000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 0000000C.00000002.780502610.000001715323D000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000C.00000002.780502610.000001715323D000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000E.00000003.315527076.0000027DDB249000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000E.00000003.315431600.0000027DDB260000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000E.00000002.318066079.0000027DDB23D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000E.00000002.318216228.0000027DDB269000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.315380905.0000027DDB267000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                      Source: svchost.exe, 0000000E.00000003.315431600.0000027DDB260000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000E.00000003.315710943.0000027DDB24F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.315466244.0000027DDB24D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000E.00000003.293603660.0000027DDB230000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000E.00000002.318066079.0000027DDB23D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000E.00000003.315431600.0000027DDB260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000E.00000003.315431600.0000027DDB260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000E.00000003.315431600.0000027DDB260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000E.00000003.293603660.0000027DDB230000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000E.00000003.315640761.0000027DDB241000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.318084456.0000027DDB242000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.315574324.0000027DDB240000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000E.00000003.315640761.0000027DDB241000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.318084456.0000027DDB242000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.315574324.0000027DDB240000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000E.00000003.315431600.0000027DDB260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000E.00000003.315527076.0000027DDB249000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.318111308.0000027DDB24B000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.315574324.0000027DDB240000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 0000000E.00000003.293603660.0000027DDB230000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
                      Source: svchost.exe, 0000001F.00000003.438357353.0000020122F65000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.438039962.0000020123403000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.438019016.0000020123402000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.437990261.0000020122F97000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 0000000E.00000003.315527076.0000027DDB249000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000E.00000003.315527076.0000027DDB249000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.318111308.0000027DDB24B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000E.00000003.315527076.0000027DDB249000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.318111308.0000027DDB24B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000E.00000003.315466244.0000027DDB24D000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000E.00000003.315431600.0000027DDB260000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000E.00000003.293603660.0000027DDB230000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.318066079.0000027DDB23D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000E.00000003.293603660.0000027DDB230000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000E.00000002.318066079.0000027DDB23D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000E.00000002.318066079.0000027DDB23D000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.317874297.0000027DDB213000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000E.00000003.315624929.0000027DDB245000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.315574324.0000027DDB240000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000E.00000003.315624929.0000027DDB245000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.315574324.0000027DDB240000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000E.00000003.293603660.0000027DDB230000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000E.00000003.315665164.0000027DDB239000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.293603660.0000027DDB230000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000E.00000003.315710943.0000027DDB24F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.315466244.0000027DDB24D000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: svchost.exe, 0000001F.00000003.438357353.0000020122F65000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.438039962.0000020123403000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.438019016.0000020123402000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.437990261.0000020122F97000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 0000001F.00000003.438357353.0000020122F65000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.438039962.0000020123403000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.438019016.0000020123402000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.437990261.0000020122F97000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 0000001F.00000003.439771045.0000020122F86000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.439928882.0000020123419000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.439947599.0000020123402000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10001280 recvfrom,3_2_10001280
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,4_2_10027958

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 5.2.rundll32.exe.11e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1190000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.3450000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.2410000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.loaddll32.exe.2410000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.loaddll32.exe.2410000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.4f10000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.4ea0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.loaddll32.exe.2440000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.loaddll32.exe.2410000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.4ee0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.710000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.710000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.1080000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1190000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.loaddll32.exe.2410000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.3450000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5220000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.1080000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.1100000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.50c0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5280000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.4e70000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.2440000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.d90000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.4ee0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.4e70000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5280000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.1200000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.50c0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.loaddll32.exe.2440000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4fe0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4fe0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.d90000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5250000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.1200000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.2410000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.7d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.10b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.3600000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5220000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.4d90000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.50f0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5010000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.295170355.0000000002441000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.319311816.0000000004FE0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.264232474.0000000003450000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.264445003.0000000003601000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.271674594.0000000002441000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.311419094.0000000000710000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.318504064.00000000011E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.317746254.0000000001101000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.319427752.00000000050C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.318779993.0000000004EE0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.319564676.0000000005251000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.351346080.00000000010B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.318608097.0000000004D91000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.317543692.0000000000D90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.319602388.0000000005280000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.317818773.0000000001200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.269063962.0000000002410000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.269192745.0000000002441000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.319530979.0000000005220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.295121036.0000000002410000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.351308553.0000000001080000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.271620291.0000000002410000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.318684339.0000000004E70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.319354268.0000000005011000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.318831787.0000000004F11000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.318726166.0000000004EA1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.311608118.00000000007D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.318456425.0000000001190000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.319460126.00000000050F1000.00000020.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: 4NBdOVqTyL.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5652 -ip 5652
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Qpmpohowskn\yxodzrkk.uat:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Qpmpohowskn\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0245EFDD1_2_0245EFDD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0244A4451_2_0244A445
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024542441_2_02454244
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0244E6401_2_0244E640
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0245F8401_2_0245F840
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024474421_2_02447442
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0245B2571_2_0245B257
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02452E5D1_2_02452E5D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02460A641_2_02460A64
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02454A661_2_02454A66
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024632631_2_02463263
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0244DE741_2_0244DE74
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0245A4741_2_0245A474
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0245DC711_2_0245DC71
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0244A8711_2_0244A871
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024470781_2_02447078
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02447E791_2_02447E79
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0245567B1_2_0245567B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024588061_2_02458806
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02459A011_2_02459A01
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02457A0F1_2_02457A0F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024620091_2_02462009
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0244B8201_2_0244B820
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024486361_2_02448636
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024434311_2_02443431
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024480C01_2_024480C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0245CAD51_2_0245CAD5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0245CCD91_2_0245CCD9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0245D8DB1_2_0245D8DB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0245E4E51_2_0245E4E5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024600EF1_2_024600EF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0244F0E91_2_0244F0E9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02463EE91_2_02463EE9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0245BEFD1_2_0245BEFD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0245A2A51_2_0245A2A5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02441CA11_2_02441CA1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024636AA1_2_024636AA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0244BAA91_2_0244BAA9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02453EAA1_2_02453EAA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02450EBC1_2_02450EBC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024646BD1_2_024646BD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0244C6B81_2_0244C6B8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02450ABA1_2_02450ABA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024521421_2_02452142
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0244D14C1_2_0244D14C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0245654A1_2_0245654A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0245E9551_2_0245E955
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02462D531_2_02462D53
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0245FF581_2_0245FF58
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02457D5B1_2_02457D5B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0244F3691_2_0244F369
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02454F741_2_02454F74
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024597741_2_02459774
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024557791_2_02455779
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02446B7A1_2_02446B7A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0245017B1_2_0245017B</