Loading ...

Play interactive tourEdit tour

Windows Analysis Report 5o8zdV3GU3

Overview

General Information

Sample Name:5o8zdV3GU3 (renamed file extension from none to dll)
Analysis ID:553143
MD5:189bf4703028e64816a04b4e4ed2767d
SHA1:0b7b0275e4095b367cb9bc54594d67b539b70ff1
SHA256:adadac282d13fd1859a084555e73747d751d27f39059026c08b52f2a316dddc9
Tags:32dllexetrojan
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • svchost.exe (PID: 6968 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • loaddll32.exe (PID: 7012 cmdline: loaddll32.exe "C:\Users\user\Desktop\5o8zdV3GU3.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 7068 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5o8zdV3GU3.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 7156 cmdline: rundll32.exe "C:\Users\user\Desktop\5o8zdV3GU3.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6428 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5o8zdV3GU3.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 7140 cmdline: regsvr32.exe /s C:\Users\user\Desktop\5o8zdV3GU3.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • rundll32.exe (PID: 6476 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5o8zdV3GU3.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6076 cmdline: rundll32.exe C:\Users\user\Desktop\5o8zdV3GU3.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 5032 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mumgmtegektiykh\kztyzxlvaam.cuq",PuybGev MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 4008 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mumgmtegektiykh\kztyzxlvaam.cuq",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 7048 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 720 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5140 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6440 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6416 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6568 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 4476 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 5028 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 492 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4104 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5692 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.288106949.0000000002920000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000009.00000002.295420739.00000000025D0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      0000000F.00000002.299662672.0000000004B31000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000009.00000002.295926271.0000000004820000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          0000000C.00000002.322196530.00000000046F1000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 23 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.rundll32.exe.4980000.10.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              12.2.rundll32.exe.4800000.8.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                9.2.rundll32.exe.47c0000.6.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  9.2.rundll32.exe.25d0000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    15.2.rundll32.exe.4b30000.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 37 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\5o8zdV3GU3.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\5o8zdV3GU3.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5o8zdV3GU3.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7068, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\5o8zdV3GU3.dll",#1, ProcessId: 7156

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 9.2.rundll32.exe.47c0000.6.raw.unpackMalware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 5o8zdV3GU3.dllVirustotal: Detection: 30%Perma Link
                      Machine Learning detection for sampleShow sources
                      Source: 5o8zdV3GU3.dllJoe Sandbox ML: detected
                      Source: 5o8zdV3GU3.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.3:49745 -> 45.138.98.34:80
                      Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.3:49746 -> 69.16.218.101:8080
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.16.218.101 144Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.138.98.34 80Jump to behavior
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 45.138.98.34:80
                      Source: Malware configuration extractorIPs: 69.16.218.101:8080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.168.220:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 104.131.62.48:8080
                      Source: Malware configuration extractorIPs: 62.171.178.147:8080
                      Source: Malware configuration extractorIPs: 217.182.143.207:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 210.57.209.142:8080
                      Source: Malware configuration extractorIPs: 159.69.237.188:443
                      Source: Malware configuration extractorIPs: 116.124.128.206:8080
                      Source: Malware configuration extractorIPs: 128.199.192.135:8080
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Malware configuration extractorIPs: 185.148.168.15:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 190.90.233.66:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 104.131.62.48 104.131.62.48
                      Source: global trafficTCP traffic: 192.168.2.3:49746 -> 69.16.218.101:8080
                      Source: unknownNetwork traffic detected: IP country count 11
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: svchost.exe, 00000018.00000003.393856935.000001E6A5995000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000018.00000003.393856935.000001E6A5995000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000018.00000003.393856935.000001E6A5995000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","A equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000018.00000003.393856935.000001E6A5995000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","A equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000018.00000002.411666750.000001E6A52E8000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000018.00000002.411666750.000001E6A52E8000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: 77EC63BDA74BD0D0E0426DC8F80085060.18.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: rundll32.exe, 00000012.00000003.346414857.00000000055BE000.00000004.00000001.sdmp, rundll32.exe, 00000012.00000003.347045018.0000000005590000.00000004.00000001.sdmp, rundll32.exe, 00000012.00000003.347166038.00000000055B6000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b1afdd3bf6d13
                      Source: svchost.exe, 00000018.00000003.388724008.000001E6A595D000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.388810562.000001E6A5E02000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.388740953.000001E6A5979000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 0000000D.00000002.312216539.0000027C67A13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 00000003.00000002.808986189.0000026843644000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 00000003.00000002.808986189.0000026843644000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 00000003.00000002.808986189.0000026843644000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 00000003.00000002.808986189.0000026843644000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.comr
                      Source: svchost.exe, 0000000D.00000003.311061989.0000027C67A60000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 00000003.00000002.808986189.0000026843644000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000003.00000002.808986189.0000026843644000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000D.00000003.311173852.0000027C67A49000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000D.00000003.311061989.0000027C67A60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000D.00000002.312248027.0000027C67A3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000D.00000003.310880307.0000027C67A67000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.312284199.0000027C67A69000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                      Source: svchost.exe, 0000000D.00000003.311061989.0000027C67A60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000D.00000002.312260288.0000027C67A4B000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.311173852.0000027C67A49000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000D.00000003.287688148.0000027C67A31000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 0000000D.00000002.312248027.0000027C67A3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000D.00000003.311061989.0000027C67A60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000D.00000003.311061989.0000027C67A60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000D.00000003.311061989.0000027C67A60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000D.00000003.311625138.0000027C67A41000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.311420754.0000027C67A40000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.312254295.0000027C67A42000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000D.00000003.311625138.0000027C67A41000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.311420754.0000027C67A40000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.312254295.0000027C67A42000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000D.00000003.311061989.0000027C67A60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000D.00000003.311420754.0000027C67A40000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.312269483.0000027C67A5C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 00000018.00000003.388724008.000001E6A595D000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.388810562.000001E6A5E02000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.388740953.000001E6A5979000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 0000000D.00000003.311173852.0000027C67A49000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000D.00000002.312269483.0000027C67A5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000D.00000002.312269483.0000027C67A5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000D.00000003.311173852.0000027C67A49000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000D.00000003.311061989.0000027C67A60000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000D.00000002.312248027.0000027C67A3D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000D.00000003.287688148.0000027C67A31000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000D.00000002.312248027.0000027C67A3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000D.00000002.312248027.0000027C67A3D000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.312216539.0000027C67A13000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000D.00000003.311420754.0000027C67A40000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.311559423.0000027C67A45000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000D.00000003.311420754.0000027C67A40000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.311559423.0000027C67A45000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000D.00000003.287688148.0000027C67A31000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000D.00000003.311709544.0000027C67A3A000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.287688148.0000027C67A31000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000D.00000002.312260288.0000027C67A4B000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.311173852.0000027C67A49000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: svchost.exe, 00000018.00000003.388724008.000001E6A595D000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.388810562.000001E6A5E02000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.388740953.000001E6A5979000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000018.00000003.388724008.000001E6A595D000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.388810562.000001E6A5E02000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.388740953.000001E6A5979000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000018.00000003.389559591.000001E6A597C000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.389828999.000001E6A599E000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.389643100.000001E6A59D6000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.389608441.000001E6A59D6000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_100012D0 recvfrom,6_2_100012D0
                      Source: loaddll32.exe, 00000002.00000002.292296586.00000000015EB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,6_2_1000FF59
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,7_2_1000FF59
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,12_2_1000FF59

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 9.2.rundll32.exe.4980000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.4800000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.47c0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.25d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.4b30000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.4800000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.25c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.3340000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.3340000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.4660000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.4820000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.4980000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.45b0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.4690000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.46f0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.4850000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.49b0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.3370000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.4580000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.3240000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.3ff0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.4590000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.46c0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.4590000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.2600000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.4660000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.25c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.3240000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.47a0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.47f0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.25d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.2920000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.46c0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.2920000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.4580000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.4220000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.4820000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.47d0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.47c0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.4830000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.45c0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.47a0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000002.288106949.0000000002920000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.295420739.00000000025D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.299662672.0000000004B31000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.295926271.0000000004820000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.322196530.00000000046F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.288171571.0000000004221000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.295834893.0000000004691000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.322096907.0000000004590000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.295905840.00000000047F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.322237408.00000000047A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.295970010.0000000004980000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.322126344.00000000045C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.322324942.0000000004831000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.322265167.00000000047D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.295742622.0000000004580000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.295801770.0000000004660000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.321908815.0000000003FF1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.322168517.00000000046C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.295884974.00000000047C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.321798721.00000000025C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.295946412.0000000004851000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.291064992.0000000003371000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.299581696.0000000003240000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.295994852.00000000049B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.295767081.00000000045B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.291040092.0000000003340000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.322291454.0000000004800000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.295442330.0000000002601000.00000020.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: 5o8zdV3GU3.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Mumgmtegektiykh\kztyzxlvaam.cuq:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Mumgmtegektiykh\Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_100200116_2_10020011
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_100181CA6_2_100181CA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1001929D6_2_1001929D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1002542D6_2_1002542D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_100274AE6_2_100274AE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_100265756_2_10026575
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1001869D6_2_1001869D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1001178A6_2_1001178A
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_100168606_2_10016860
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1002596F6_2_1002596F
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_10022A5C6_2_10022A5C
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_10018A716_2_10018A71
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1001AAB76_2_1001AAB7
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1001CB166_2_1001CB16
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_10018E7D6_2_10018E7D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_10025EB16_2_10025EB1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_042385FF6_2_042385FF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0423EFDD6_2_0423EFDD
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_042234316_2_04223431
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0423DC716_2_0423DC71
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0423A4746_2_0423A474
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_042274426_2_04227442
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0422A4456_2_0422A445
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04221CA16_2_04221CA1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0423E4E56_2_0423E4E5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0423CCD96_2_0423CCD9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04238D3D6_2_04238D3D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0423AD086_2_0423AD08
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_042355156_2_04235515
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0423654A6_2_0423654A
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04242D536_2_04242D53
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04237D5B6_2_04237D5B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04233D856_2_04233D85
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04239DF56_2_04239DF5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_042255FF6_2_042255FF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0423C5D56_2_0423C5D5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0422C5D86_2_0422C5D8
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_042286366_2_04228636
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0422DE746_2_0422DE74
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0423567B6_2_0423567B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04227E796_2_04227E79
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0422E6406_2_0422E640
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04232E5D6_2_04232E5D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04233EAA6_2_04233EAA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_042436AA6_2_042436AA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_042446BD6_2_042446BD
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0422C6B86_2_0422C6B8
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04230EBC6_2_04230EBC
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04243EE96_2_04243EE9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0423BEFD6_2_0423BEFD
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04221F386_2_04221F38
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0422670B6_2_0422670B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0422EF0C6_2_0422EF0C
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04234F746_2_04234F74
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_042397746_2_04239774
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_042357796_2_04235779
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0423FF586_2_0423FF58
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_042277A36_2_042277A3
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04238FAE6_2_04238FAE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_042407AA6_2_042407AA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_042417BD6_2_042417BD
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_042257B86_2_042257B8
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0422BFBE6_2_0422BFBE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04230F866_2_04230F86
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_042367E66_2_042367E6
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0422E7DE6_2_0422E7DE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0422B8206_2_0422B820
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_042388066_2_04238806
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_042420096_2_04242009
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0422A8716_2_0422A871
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_042270786_2_04227078
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0423F8406_2_0423F840
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0422F0E96_2_0422F0E9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_042400EF6_2_042400EF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_042280C06_2_042280C0
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0423D8DB6_2_0423D8DB
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0423017B6_2_0423017B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_042321426_2_04232142
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0422D14C6_2_0422D14C
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0423E9556_2_0423E955
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0423D1BC6_2_0423D1BC
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_042361876_2_04236187
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_042221946_2_04222194
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0423E1F86_2_0423E1F8
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04239A016_2_04239A01
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04237A0F6_2_04237A0F
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04240A646_2_04240A64
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04234A666_2_04234A66
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_042432636_2_04243263
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_042342446_2_04234244
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0423B2576_2_0423B257
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0423A2A56_2_0423A2A5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0422BAA96_2_0422BAA9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04230ABA6_2_04230ABA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0423CAD56_2_0423CAD5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_042353336_2_04235333
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04242B096_2_04242B09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100200117_2_10020011
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100181CA7_2_100181CA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001929D7_2_1001929D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1002542D7_2_1002542D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100274AE7_2_100274AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100265757_2_10026575
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001869D7_2_1001869D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001178A7_2_1001178A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100168607_2_10016860
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1002596F7_2_1002596F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10022A5C7_2_10022A5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10018A717_2_10018A71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001AAB77_2_1001AAB7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001CB167_2_1001CB16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10018E7D7_2_10018E7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10025EB17_2_10025EB1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1002001112_2_10020011
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_100181CA12_2_100181CA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1001929D12_2_1001929D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1002542D12_2_1002542D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_100274AE12_2_100274AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1002657512_2_10026575
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1001869D12_2_1001869D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1001178A12_2_1001178A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1001686012_2_10016860
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1002596F12_2_1002596F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10022A5C12_2_10022A5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10018A7112_2_10018A71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1001AAB712_2_1001AAB7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1001CB1612_2_1001CB16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10018E7D12_2_10018E7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10025EB112_2_10025EB1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0400AD0812_2_0400AD08
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0400654A12_2_0400654A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0400FF5812_2_0400FF58
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0400EFDD12_2_0400EFDD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0401200912_2_04012009
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_03FF670B12_2_03FF670B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0400214212_2_04002142
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_03FFDE7412_2_03FFDE74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_03FF863612_2_03FF8636
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04007A0F12_2_04007A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_03FFC5D812_2_03FFC5D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04004A6612_2_04004A66
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_03FFA44512_2_03FFA445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_03FF4BFC12_2_03FF4BFC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0400DC7112_2_0400DC71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_03FFFB8E12_2_03FFFB8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_03FF238C12_2_03FF238C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0400A47412_2_0400A474
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_03FF6B7A12_2_03FF6B7A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_03FFF36912_2_03FFF369
                      Source: C:\Windows\SysWOW64\rundll3