Loading ...

Play interactive tourEdit tour

Windows Analysis Report PtBIxmYbK8

Overview

General Information

Sample Name:PtBIxmYbK8 (renamed file extension from none to dll)
Analysis ID:553387
MD5:cdf3dc30cd25f5dc97c5f7b9c2d1abe5
SHA1:2e60ddf31429088419bdd186f10ff5e2d437236c
SHA256:9b571f59abe91b0684fec7bc2311225630ee92c647cd91f37847cd5f8f1dc85c
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5048 cmdline: loaddll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 5300 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4792 cmdline: rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6108 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • rundll32.exe (PID: 2524 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Nvtcylmbo\muiecmoc.icg",BOAeVPaP MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
            • rundll32.exe (PID: 5160 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Nvtcylmbo\muiecmoc.icg",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 2948 cmdline: regsvr32.exe /s C:\Users\user\Desktop\PtBIxmYbK8.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • rundll32.exe (PID: 6080 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6344 cmdline: rundll32.exe C:\Users\user\Desktop\PtBIxmYbK8.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 2352 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 516 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 2064 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 5932 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5048 -ip 5048 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6552 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6016 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5644 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5052 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.317784212.0000000004B11000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000008.00000002.318296649.0000000005421000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      0000000E.00000002.821346778.0000000004C61000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        0000000B.00000002.322635855.00000000027B1000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000008.00000002.318248935.00000000053F0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 43 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.rundll32.exe.5420000.7.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              8.2.rundll32.exe.4ae0000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                14.2.rundll32.exe.2770000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  14.2.rundll32.exe.5510000.23.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    8.2.rundll32.exe.5450000.8.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 67 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5300, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1, ProcessId: 4792

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.loaddll32.exe.fd0000.0.raw.unpackMalware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}
                      Source: PtBIxmYbK8.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000C.00000003.318305302.0000000002FA1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.318774680.0000000002FA1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.318180272.0000000004A75000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000C.00000003.324332756.0000000004DD2000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000C.00000002.335325526.0000000000952000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000C.00000003.324414381.0000000004DD5000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324332756.0000000004DD2000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000C.00000003.318293259.0000000002F9B000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.319074804.0000000002F9B000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000C.00000003.324414381.0000000004DD5000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324332756.0000000004DD2000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdbP% source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000C.00000003.324390015.0000000004DD0000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000C.00000003.324390015.0000000004DD0000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000C.00000003.324390015.0000000004DD0000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000C.00000003.318599175.0000000002FA7000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.318317394.0000000002FA7000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb^% source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000C.00000003.324332756.0000000004DD2000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000C.00000003.318599175.0000000002FA7000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.318317394.0000000002FA7000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000C.00000003.324390015.0000000004DD0000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000C.00000003.324390015.0000000004DD0000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000C.00000003.318305302.0000000002FA1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.318774680.0000000002FA1000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb`%; source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: propsys.pdb|%/ source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdbz%1 source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000C.00000003.318293259.0000000002F9B000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.319074804.0000000002F9B000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.3:49743 -> 45.138.98.34:80
                      Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.3:49744 -> 69.16.218.101:8080
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.16.218.101 144
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.138.98.34 80
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 45.138.98.34:80
                      Source: Malware configuration extractorIPs: 69.16.218.101:8080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.168.220:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 104.131.62.48:8080
                      Source: Malware configuration extractorIPs: 62.171.178.147:8080
                      Source: Malware configuration extractorIPs: 217.182.143.207:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 210.57.209.142:8080
                      Source: Malware configuration extractorIPs: 159.69.237.188:443
                      Source: Malware configuration extractorIPs: 116.124.128.206:8080
                      Source: Malware configuration extractorIPs: 128.199.192.135:8080
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Malware configuration extractorIPs: 185.148.168.15:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 190.90.233.66:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 104.131.62.48 104.131.62.48
                      Source: global trafficTCP traffic: 192.168.2.3:49744 -> 69.16.218.101:8080
                      Source: unknownNetwork traffic detected: IP country count 12
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: svchost.exe, 00000019.00000003.505360189.000002AE4D591000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000019.00000003.505360189.000002AE4D591000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000019.00000003.505375546.000002AE4D5A2000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.505360189.000002AE4D591000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000019.00000003.505375546.000002AE4D5A2000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.505360189.000002AE4D591000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000019.00000003.505360189.000002AE4D591000.00000004.00000001.sdmpString found in binary or memory: !ached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"level\":81,\"
                      Source: svchost.exe, 00000019.00000003.505360189.000002AE4D591000.00000004.00000001.sdmpString found in binary or memory: !ached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"level\":81,\"
                      Source: svchost.exe, 00000019.00000002.520960706.000002AE4D500000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000019.00000002.520960706.000002AE4D500000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: rundll32.exe, 0000000E.00000003.358145505.000000000523A000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
                      Source: rundll32.exe, 0000000E.00000003.358145505.000000000523A000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.358271514.000000000523A000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000002.823109589.000000000523A000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/C
                      Source: 77EC63BDA74BD0D0E0426DC8F80085060.14.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: rundll32.exe, 0000000E.00000003.356841146.0000000005246000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c7b29d1b31ef2
                      Source: svchost.exe, 00000019.00000003.500259920.000002AE4D57F000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500326939.000002AE4D5A0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500297835.000002AE4D5C0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500278723.000002AE4D5C0000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: Amcache.hve.12.drString found in binary or memory: http://upx.sf.net
                      Source: svchost.exe, 00000019.00000003.500259920.000002AE4D57F000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500326939.000002AE4D5A0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500297835.000002AE4D5C0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500278723.000002AE4D5C0000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000019.00000003.500259920.000002AE4D57F000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500326939.000002AE4D5A0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500297835.000002AE4D5C0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500278723.000002AE4D5C0000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000019.00000003.500259920.000002AE4D57F000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500326939.000002AE4D5A0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500297835.000002AE4D5C0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.500278723.000002AE4D5C0000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000019.00000003.501393956.000002AE4D57F000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.501270072.000002AE4D5A7000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.501449448.000002AE4DA02000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.501250445.000002AE4D5A7000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.501407683.000002AE4D590000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10001280 recvfrom,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 8.2.rundll32.exe.5420000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4ae0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.2770000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.5510000.23.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5450000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.fd0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4c30000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.57d0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.29d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.53b0000.19.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.fd0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5800000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.fd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.27f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4ad0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.51a0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.54e0000.22.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.5480000.20.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.43a0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.50a0000.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2c10000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5450000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.51b0000.17.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.fd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.fd0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5290000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2c10000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.5180000.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4ad0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4ae0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4b00000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.29d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.51a0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.5380000.18.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.49f0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.52c0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.57d0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.51d0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.50d0000.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.e00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4f80000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4c30000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.54e0000.22.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4cc0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.2780000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.43a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.e40000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.5380000.18.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4fb0000.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4b10000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4c60000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.27b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.2780000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.54b0000.21.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4a20000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4c90000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4f80000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.2770000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5290000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.5480000.20.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.e00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.53f0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.5180000.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2c10000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.50a0000.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.2aa0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.4c90000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.fd0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.49f0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.53f0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.2aa0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5480000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.317784212.0000000004B11000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.318296649.0000000005421000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.821346778.0000000004C61000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.322635855.00000000027B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.318248935.00000000053F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.821133025.0000000004AD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.823386199.0000000005480000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.823214789.0000000005380000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.823440702.00000000054B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.821423822.0000000004C90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.318348439.0000000005450000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.318434863.00000000057D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.823555104.0000000005511000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.820324985.00000000027F1000.00000020.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.820654150.0000000002AA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.820892029.00000000043A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.821081659.0000000004A21000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.308585083.0000000000FD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.822157417.0000000004F80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.822267335.0000000004FB1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.821518387.0000000004CC1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.338458195.0000000002C11000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.823505581.00000000054E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.821036845.00000000049F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.311393772.0000000000FD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.312025488.0000000002C11000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.302688522.0000000000E41000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.309571551.0000000002C11000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.304075743.00000000043A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.318371369.0000000005481000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.820233700.0000000002770000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.303853951.00000000029D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.302564495.0000000000E00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.822785123.0000000005180000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.318088092.00000000051A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.318476000.0000000005801000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.337429522.0000000000FD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.317749398.0000000004AE0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.821283927.0000000004C30000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.322569629.0000000002780000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.318172231.00000000052C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.823282045.00000000053B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.821167570.0000000004B01000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.822609344.00000000050A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.318112393.00000000051D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.318147984.0000000005290000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.822887843.00000000051B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.822664620.00000000050D1000.00000020.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: PtBIxmYbK8.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5048 -ip 5048
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Nvtcylmbo\muiecmoc.icg:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Awlpqazimav\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2EFDD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C180C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2CAD5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2D8DB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2CCD9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2E4E5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1F0E9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C33EE9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C300EF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2BEFD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C11CA1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2A2A5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C23EAA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1BAA9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C336AA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C20ABA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1C6B8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C346BD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C20EBC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1E640
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2F840
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C17442
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1A445
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C24244
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2B257
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C22E5D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C33263
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C24A66
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C30A64
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1A871
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2DC71
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1DE74
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2A474
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C17E79
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C17078
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2567B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C29A01
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C28806
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C32009
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C27A0F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1B820
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C13431
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C18636
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2C5D5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1C5D8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1E7DE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C267E6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C29DF5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2E1F8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C285FF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C14BFC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C155FF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C20F86
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C26187
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C23D85
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1238C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1FB8E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C12194
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C177A3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C307AA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C28FAE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C157B8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2D1BC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C317BD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1BFBE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C22142
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2654A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1D14C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C32D53
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2E955
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C27D5B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2FF58
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1F369
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C24F74
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C29774
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2017B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C25779
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C16B7A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C32B09
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1670B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C2AD08
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C1EF0C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C25515
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C25333
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C11F38
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C28D3D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1004091B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100291F6
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1002EACF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100403D7
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1004250B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10041557
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10035D96
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100395A1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10040E5F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100291F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002F378
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100403D7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1004250B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10041557
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100395A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002F784
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1004091B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002EACF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002FBA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10035D96
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10040E5F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002EFA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100291F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1002F378
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100403D7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1004250B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10041557
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_100395A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1002F784
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1004091B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1002EACF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1002FBA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10035D96
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_10040E5F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_1002EFA4
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 10030E38 appears 54 times
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 10030535 appears 37 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030E38 appears 116 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 1003578B appears 46 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030535 appears 174 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030568 appears 32 times
                      Source: PtBIxmYbK8.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
                      Source: PtBIxmYbK8.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\PtBIxmYbK8.dll
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\PtBIxmYbK8.dll,DllRegisterServer
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",DllRegisterServer
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5048 -ip 5048
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Nvtcylmbo\muiecmoc.icg",BOAeVPaP
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 516
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Nvtcylmbo\muiecmoc.icg",DllRegisterServer
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\PtBIxmYbK8.dll
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\PtBIxmYbK8.dll,DllRegisterServer
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Nvtcylmbo\muiecmoc.icg",BOAeVPaP
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5048 -ip 5048
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 516
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Nvtcylmbo\muiecmoc.icg",DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                      Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1607.tmpJump to behavior
                      Source: classification engineClassification label: mal84.troj.evad.winDLL@27/10@0/28
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:5932:64:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5048
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10021183 LoadResource,LockResource,SizeofResource,
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000C.00000003.318305302.0000000002FA1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.318774680.0000000002FA1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.318180272.0000000004A75000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000C.00000003.324332756.0000000004DD2000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000C.00000003.324322140.0000000004E01000.00000004.00000001.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000C.00000003.324340922.0000000004DD8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.324430150.0000000004DD8000.00000004.00000040.sdmp
                      Source: Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000C.00000002.335325526.0000000000952000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000C.00000003.3244