Loading ...

Play interactive tourEdit tour

Windows Analysis Report gyZm68Cgwf

Overview

General Information

Sample Name:gyZm68Cgwf (renamed file extension from none to dll)
Analysis ID:553152
MD5:e6a310366f705e69cf9acf9738cd9c19
SHA1:155edf8c757c340a3e60b9bf3d22568c997715db
SHA256:4185087d600fb3a1d03e10017bf55233c84013b2e29ca9e0321686cac7c5e1cf
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 4856 cmdline: loaddll32.exe "C:\Users\user\Desktop\gyZm68Cgwf.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 4608 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\gyZm68Cgwf.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4528 cmdline: rundll32.exe "C:\Users\user\Desktop\gyZm68Cgwf.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6096 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\gyZm68Cgwf.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 4536 cmdline: regsvr32.exe /s C:\Users\user\Desktop\gyZm68Cgwf.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • rundll32.exe (PID: 4520 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\gyZm68Cgwf.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4592 cmdline: rundll32.exe C:\Users\user\Desktop\gyZm68Cgwf.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 4476 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Eehwmcxbz\pepkl.dhq",tlvll MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6656 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Eehwmcxbz\pepkl.dhq",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 6632 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6736 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4424 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6696 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 3244 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 1676 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 4796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 1472 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4540 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4864 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5352 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.277730599.0000000004F91000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000009.00000002.277713416.0000000004F60000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000009.00000002.277639007.0000000004DF1000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        0000000B.00000002.795927232.0000000000761000.00000020.00000010.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          0000000B.00000002.799414733.0000000004CC1000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 43 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            11.2.rundll32.exe.48e0000.6.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              11.2.rundll32.exe.550000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                11.2.rundll32.exe.4c90000.14.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  11.2.rundll32.exe.760000.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    4.2.regsvr32.exe.c30000.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 67 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\gyZm68Cgwf.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\gyZm68Cgwf.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\gyZm68Cgwf.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4608, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\gyZm68Cgwf.dll",#1, ProcessId: 4528

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 7.2.rundll32.exe.5030000.4.raw.unpackMalware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: gyZm68Cgwf.dllVirustotal: Detection: 28%Perma Link
                      Source: gyZm68Cgwf.dllReversingLabs: Detection: 39%
                      Machine Learning detection for sampleShow sources
                      Source: gyZm68Cgwf.dllJoe Sandbox ML: detected
                      Source: gyZm68Cgwf.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.3:49754 -> 45.138.98.34:80
                      Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.3:49755 -> 69.16.218.101:8080
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.16.218.101 144Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.138.98.34 80Jump to behavior
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 45.138.98.34:80
                      Source: Malware configuration extractorIPs: 69.16.218.101:8080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.168.220:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 104.131.62.48:8080
                      Source: Malware configuration extractorIPs: 62.171.178.147:8080
                      Source: Malware configuration extractorIPs: 217.182.143.207:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 210.57.209.142:8080
                      Source: Malware configuration extractorIPs: 159.69.237.188:443
                      Source: Malware configuration extractorIPs: 116.124.128.206:8080
                      Source: Malware configuration extractorIPs: 128.199.192.135:8080
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Malware configuration extractorIPs: 185.148.168.15:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 190.90.233.66:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 104.131.62.48 104.131.62.48
                      Source: global trafficTCP traffic: 192.168.2.3:49755 -> 69.16.218.101:8080
                      Source: unknownNetwork traffic detected: IP country count 11
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: svchost.exe, 00000016.00000003.381450619.0000027DA5D8F000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000016.00000003.381450619.0000027DA5D8F000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000016.00000003.381450619.0000027DA5D8F000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","A equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000016.00000003.381450619.0000027DA5D8F000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","A equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000016.00000002.396724462.0000027DA54DF000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000016.00000002.396724462.0000027DA54DF000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: rundll32.exe, 0000000B.00000003.306252225.0000000004E29000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.305533400.0000000004E2B000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
                      Source: 77EC63BDA74BD0D0E0426DC8F80085060.11.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: rundll32.exe, 0000000B.00000003.305533400.0000000004E2B000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?229413c4f0e8e
                      Source: svchost.exe, 00000016.00000003.374720135.0000027DA5D83000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 0000000E.00000002.306871378.000002C222813000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 0000000C.00000002.797778939.00000236A2244000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 0000000C.00000002.797778939.00000236A2244000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 0000000C.00000002.797778939.00000236A2244000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 0000000C.00000002.797778939.00000236A2244000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.comds
                      Source: svchost.exe, 0000000E.00000003.306604803.000002C222861000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 0000000C.00000002.797655896.00000236A2229000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000C.00000002.797655896.00000236A2229000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000E.00000003.306630686.000002C222849000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000E.00000002.306926105.000002C22285C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000E.00000003.306604803.000002C222861000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000E.00000002.306901569.000002C22283D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000E.00000002.306926105.000002C22285C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000E.00000002.306941965.000002C22286A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.306586825.000002C222868000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                      Source: svchost.exe, 0000000E.00000003.306604803.000002C222861000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000E.00000002.306918594.000002C222852000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.306615683.000002C22284C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000E.00000002.306926105.000002C22285C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000E.00000003.306604803.000002C222861000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 0000000E.00000002.306901569.000002C22283D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000E.00000003.306604803.000002C222861000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000E.00000003.306604803.000002C222861000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000E.00000003.306604803.000002C222861000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000E.00000003.306646043.000002C222840000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.306662365.000002C222841000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.306907020.000002C222842000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000E.00000003.306646043.000002C222840000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.306662365.000002C222841000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.306907020.000002C222842000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000E.00000003.306604803.000002C222861000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000E.00000002.306926105.000002C22285C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.306646043.000002C222840000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 00000016.00000003.374720135.0000027DA5D83000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 0000000E.00000003.306630686.000002C222849000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000E.00000002.306926105.000002C22285C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000E.00000002.306926105.000002C22285C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000E.00000002.306936386.000002C222865000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000E.00000003.306604803.000002C222861000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000E.00000002.306901569.000002C22283D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000E.00000003.285016328.000002C222831000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000E.00000002.306901569.000002C22283D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000E.00000002.306901569.000002C22283D000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.306871378.000002C222813000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000E.00000003.285016328.000002C222831000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000E.00000003.306657472.000002C222845000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.306646043.000002C222840000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000E.00000003.285016328.000002C222831000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000E.00000003.285016328.000002C222831000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.306896021.000002C22283A000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000E.00000002.306918594.000002C222852000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.306615683.000002C22284C000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: svchost.exe, 00000016.00000003.374720135.0000027DA5D83000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000016.00000003.374720135.0000027DA5D83000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000016.00000003.376301343.0000027DA5D87000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.376387097.0000027DA5DB9000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.376415282.0000027DA6202000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.376344235.0000027DA5DD0000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.376326447.0000027DA5D98000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_100012D0 recvfrom,4_2_100012D0
                      Source: loaddll32.exe, 00000001.00000002.277854316.000000000088B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,4_2_1000FF59
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,5_2_1000FF59

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 11.2.rundll32.exe.48e0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.550000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.4c90000.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.760000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.regsvr32.exe.c30000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.2f80000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.c40000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5190000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.48e0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.4800000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.4c90000.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5030000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.4dc0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.2f50000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4eb0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4f50000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.4da0000.17.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4f80000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.51c0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.7e0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.4830000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5060000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.4a40000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4910000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.48e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.5020000.21.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.4aa0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.4dc0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.4b80000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4d80000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.regsvr32.exe.7b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5380000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.regsvr32.exe.7b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5220000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.4800000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.4f30000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.4f60000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.4aa0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5350000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.7e0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.550000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.4d70000.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.2f50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4eb0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.4f70000.18.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.4910000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.4b80000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.4f60000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.4df0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4f50000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.4bb0000.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.4ff0000.20.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.4f00000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.48e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.4ff0000.20.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.4ad0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.4cc0000.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.4f70000.18.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.4f00000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.51f0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.4fa0000.19.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.4a70000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4d50000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5350000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.51f0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4d50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5030000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4fe0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.4a40000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.4d70000.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5190000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.4f90000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000009.00000002.277730599.0000000004F91000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.277713416.0000000004F60000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.277639007.0000000004DF1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.795927232.0000000000761000.00000020.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.799414733.0000000004CC1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.799045913.0000000004911000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.799697917.0000000004FA1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.279150423.00000000048E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.280282313.0000000005221000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.280168007.00000000051F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.279548390.0000000004F50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.799538032.0000000004DA1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.276563054.0000000004D81000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.279789960.0000000005061000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.277622976.0000000004DC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.280097781.00000000051C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.799779111.0000000005021000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.799658123.0000000004F70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.273165607.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.796004659.00000000007E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.798904750.0000000004800000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.799492765.0000000004D70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.281478633.0000000004FE1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.273217579.0000000000C31000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.796123742.0000000000C41000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.799740487.0000000004FF0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.798938392.0000000004831000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.280709528.0000000005381000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.799314316.0000000004BB1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.795619050.0000000000550000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.276500628.0000000004D50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.279944266.0000000005190000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.799278109.0000000004B80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.799381749.0000000004C90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.277677330.0000000004F00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.799147765.0000000004A71000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.277427449.0000000002F50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.799215149.0000000004AD1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.279196865.0000000004911000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.799109356.0000000004A40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.281423189.0000000004EB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.799182038.0000000004AA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.279715977.0000000005030000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.279591942.0000000004F81000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.799004905.00000000048E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.280437976.0000000005350000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.277695700.0000000004F31000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.277447134.0000000002F81000.00000020.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: gyZm68Cgwf.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Eehwmcxbz\pepkl.dhq:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Eehwmcxbz\Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_100200114_2_10020011
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_100181CA4_2_100181CA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1001929D4_2_1001929D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1002542D4_2_1002542D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_100274AE4_2_100274AE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_100265754_2_10026575
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1001869D4_2_1001869D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1001178A4_2_1001178A
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_100168604_2_10016860
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1002596F4_2_1002596F
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10022A5C4_2_10022A5C
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10018A714_2_10018A71
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1001AAB74_2_1001AAB7
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1001CB164_2_1001CB16
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10018E7D4_2_10018E7D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10025EB14_2_10025EB1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C485FF4_2_00C485FF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C4EFDD4_2_00C4EFDD
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C380C04_2_00C380C0
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C4D8DB4_2_00C4D8DB
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C3F0E94_2_00C3F0E9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C500EF4_2_00C500EF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C4F8404_2_00C4F840
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C3A8714_2_00C3A871
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C370784_2_00C37078
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C488064_2_00C48806
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C520094_2_00C52009
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C3B8204_2_00C3B820
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C4E1F84_2_00C4E1F8
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C461874_2_00C46187
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C321944_2_00C32194
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C4D1BC4_2_00C4D1BC
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C421424_2_00C42142
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C3D14C4_2_00C3D14C
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C4E9554_2_00C4E955
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C4017B4_2_00C4017B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C4CAD54_2_00C4CAD5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C4A2A54_2_00C4A2A5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C3BAA94_2_00C3BAA9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C40ABA4_2_00C40ABA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C442444_2_00C44244
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C4B2574_2_00C4B257
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C50A644_2_00C50A64
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C44A664_2_00C44A66
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C532634_2_00C53263
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C49A014_2_00C49A01
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C47A0F4_2_00C47A0F
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C34BFC4_2_00C34BFC
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C3FB8E4_2_00C3FB8E
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C3238C4_2_00C3238C
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C3F3694_2_00C3F369
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C36B7A4_2_00C36B7A
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C52B094_2_00C52B09
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C453334_2_00C45333
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C4CCD94_2_00C4CCD9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C4E4E54_2_00C4E4E5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C31CA14_2_00C31CA1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C374424_2_00C37442
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C3A4454_2_00C3A445
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C4A4744_2_00C4A474
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C4DC714_2_00C4DC71
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C334314_2_00C33431
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C4C5D54_2_00C4C5D5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C3C5D84_2_00C3C5D8
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C49DF54_2_00C49DF5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C355FF4_2_00C355FF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C43D854_2_00C43D85
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C4654A4_2_00C4654A
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C52D534_2_00C52D53
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C47D5B4_2_00C47D5B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C4AD084_2_00C4AD08
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C455154_2_00C45515
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C48D3D4_2_00C48D3D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C53EE94_2_00C53EE9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C4BEFD4_2_00C4BEFD
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C43EAA4_2_00C43EAA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C536AA4_2_00C536AA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C40EBC4_2_00C40EBC
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C546BD4_2_00C546BD
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C3C6B84_2_00C3C6B8
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C3E6404_2_00C3E640
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C42E5D4_2_00C42E5D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C3DE744_2_00C3DE74
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C37E794_2_00C37E79
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C4567B4_2_00C4567B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C386364_2_00C38636
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C3E7DE4_2_00C3E7DE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C467E64_2_00C467E6
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C40F864_2_00C40F86
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C377A34_2_00C377A3
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C48FAE4_2_00C48FAE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C507AA4_2_00C507AA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C517BD4_2_00C517BD
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C357B84_2_00C357B8
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C3BFBE4_2_00C3BFBE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C4FF584_2_00C4FF58
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C44F744_2_00C44F74
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C497744_2_00C49774
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C457794_2_00C45779
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C3670B4_2_00C3670B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C3EF0C4_2_00C3EF0C
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00C31F384_2_00C31F38
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100200115_2_10020011
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100181CA5_2_100181CA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1001929D5_2_1001929D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1002542D5_2_1002542D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100274AE5_2_100274AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100265755_2_10026575
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1001869D5_2_1001869D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1001178A5_2_1001178A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100168605_2_10016860
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1002596F5_2_1002596F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10022A5C5_2_10022A5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10018A715_2_10018A71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1001AAB75_2_1001AAB7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1001CB165_2_1001CB16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10018E7D5_2_10018E7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10025EB15_2_10025EB1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04D985FF5_2_04D985FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04D9EFDD5_2_04D9EFDD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04D9CCD95_2_04D9CCD9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04D9E4E55_2_04D9E4E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04D81CA15_2_04D81CA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04D874425_2_04D87442
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04D8A4455_2_04D8A445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04D9DC715_2_04D9DC71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04D9A4745_2_04D9A474
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04D834315_2_04D83431
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04D8C5D85_2_04D8C5D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04D9C5D55_2_04D9C5D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04D855FF5_2_04D855FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04D99DF55_2_04D99DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04D93D855_2_04D93D85
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04D97D5B5_2_04D97D5B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04DA2D535_2_04DA2D53
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04D9654A5_2_04D9654A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04D955155_2_04D95515
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04D9AD085_2_04D9AD08
                      Source: C:\Windows\SysWOW64\rundll32.exe