Loading ...

Play interactive tourEdit tour

Windows Analysis Report nV5Wu77N8J.dll

Overview

General Information

Sample Name:nV5Wu77N8J.dll
Analysis ID:553353
MD5:a0306b7a6a12022e4fc8e586b0bc90ec
SHA1:ee7d221826a725a2110bbddbea34bd14522b5ab4
SHA256:9b1ca060b5a969f03c4c8d99ad487a454742e47fff97343a90afacb5da7d9589
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Changes security center settings (notifications, updates, antivirus, firewall)
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • svchost.exe (PID: 6772 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • loaddll32.exe (PID: 6788 cmdline: loaddll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6852 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6944 cmdline: rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6612 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 6932 cmdline: regsvr32.exe /s C:\Users\user\Desktop\nV5Wu77N8J.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • rundll32.exe (PID: 7112 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6976 cmdline: rundll32.exe C:\Users\user\Desktop\nV5Wu77N8J.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6428 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Oxcjjbulglczzu\tjxbcbc.cmd",JEKd MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6596 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Oxcjjbulglczzu\tjxbcbc.cmd",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 3428 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6788 -s 512 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6820 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6952 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7000 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7048 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 5496 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 2368 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 4488 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 4624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 808 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 6300 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6788 -ip 6788 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 204 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1304 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1356 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5264 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.336582284.00000000054B0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000008.00000002.336161253.0000000004DD0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000001.00000000.296629194.0000000002B00000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000008.00000002.336665007.0000000005610000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000008.00000002.336717142.0000000005641000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.rundll32.exe.4dd0000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              6.2.rundll32.exe.32f0000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                8.2.rundll32.exe.5610000.6.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  5.2.regsvr32.exe.4960000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    1.0.loaddll32.exe.2b00000.3.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 25 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6852, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",#1, ProcessId: 6944

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 21.2.rundll32.exe.4940000.0.raw.unpackMalware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: nV5Wu77N8J.dllVirustotal: Detection: 16%Perma Link
                      Source: nV5Wu77N8J.dllReversingLabs: Detection: 13%
                      Source: nV5Wu77N8J.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.304374143.00000000030C5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304124899.00000000030C5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304021128.0000000004DA9000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000012.00000003.308927946.0000000005172000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
                      Source: Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000012.00000002.320897103.0000000002D02000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000012.00000003.308927946.0000000005172000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308983031.0000000005175000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.304577343.00000000030BF000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304118861.00000000030BF000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000012.00000003.308927946.0000000005172000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308983031.0000000005175000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000012.00000003.308975405.0000000005170000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000012.00000003.308975405.0000000005170000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000012.00000003.308975405.0000000005170000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304133012.00000000030CB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304258466.00000000030CB000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdbk source: WerFault.exe, 00000012.00000003.308927946.0000000005172000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.304133012.00000000030CB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304258466.00000000030CB000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000012.00000003.308975405.0000000005170000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000012.00000003.308975405.0000000005170000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000012.00000003.304374143.00000000030C5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304124899.00000000030C5000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000012.00000003.304577343.00000000030BF000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304118861.00000000030BF000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.4:49770 -> 45.138.98.34:80
                      Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.4:49771 -> 69.16.218.101:8080
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.16.218.101 144Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.138.98.34 80Jump to behavior
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 45.138.98.34:80
                      Source: Malware configuration extractorIPs: 69.16.218.101:8080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.168.220:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 104.131.62.48:8080
                      Source: Malware configuration extractorIPs: 62.171.178.147:8080
                      Source: Malware configuration extractorIPs: 217.182.143.207:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 210.57.209.142:8080
                      Source: Malware configuration extractorIPs: 159.69.237.188:443
                      Source: Malware configuration extractorIPs: 116.124.128.206:8080
                      Source: Malware configuration extractorIPs: 128.199.192.135:8080
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Malware configuration extractorIPs: 185.148.168.15:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 190.90.233.66:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 104.131.62.48 104.131.62.48
                      Source: global trafficTCP traffic: 192.168.2.3:49749 -> 69.16.218.101:8080
                      Source: unknownNetwork traffic detected: IP country count 11
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: svchost.exe, 0000001B.00000003.414114890.000001BC5678E000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
                      Source: svchost.exe, 0000001B.00000003.414114890.000001BC5678E000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
                      Source: svchost.exe, 0000001B.00000003.414140821.000001BC5679F000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.414114890.000001BC5678E000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 0000001B.00000003.414140821.000001BC5679F000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.414114890.000001BC5678E000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 0000001B.00000002.429773370.000001BC56700000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 0000001B.00000002.429490850.000001BC560EA000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: 77EC63BDA74BD0D0E0426DC8F80085060.23.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: rundll32.exe, 00000017.00000003.396902729.0000000005B92000.00000004.00000001.sdmp, rundll32.exe, 00000017.00000003.396161978.0000000005B8F000.00000004.00000001.sdmp, rundll32.exe, 00000017.00000003.396717468.0000000005B92000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c994095b652b9
                      Source: svchost.exe, 0000001B.00000003.410355876.000001BC5677A000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.409785448.000001BC56791000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: Amcache.hve.18.drString found in binary or memory: http://upx.sf.net
                      Source: svchost.exe, 0000000A.00000002.310262590.000002C758813000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 00000002.00000002.679804350.000001EEFC84F000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 00000002.00000002.679804350.000001EEFC84F000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 00000002.00000002.679804350.000001EEFC84F000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 00000002.00000002.679804350.000001EEFC84F000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.comr
                      Source: svchost.exe, 0000000A.00000003.309518255.000002C758860000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 00000002.00000002.679804350.000001EEFC84F000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000002.00000002.679804350.000001EEFC84F000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000A.00000003.309539722.000002C758849000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000A.00000003.309518255.000002C758860000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000A.00000002.310602064.000002C75883D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000A.00000003.309482803.000002C758867000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.310779768.000002C758869000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                      Source: svchost.exe, 0000000A.00000003.309518255.000002C758860000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000A.00000003.309494671.000002C75884D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.310690980.000002C758852000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000A.00000002.310602064.000002C75883D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000A.00000003.309518255.000002C758860000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000A.00000003.309518255.000002C758860000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000A.00000003.309518255.000002C758860000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000A.00000002.310656304.000002C758842000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309560133.000002C758840000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309578524.000002C758841000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000A.00000002.310656304.000002C758842000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309560133.000002C758840000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309578524.000002C758841000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000A.00000003.309518255.000002C758860000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000A.00000002.310723606.000002C75885C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309560133.000002C758840000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 0000001B.00000003.410355876.000001BC5677A000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.409785448.000001BC56791000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 0000000A.00000003.309539722.000002C758849000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000A.00000002.310723606.000002C75885C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000A.00000002.310723606.000002C75885C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000A.00000002.310690980.000002C758852000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000A.00000003.309518255.000002C758860000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000A.00000002.310602064.000002C75883D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000A.00000003.287584222.000002C758831000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000A.00000002.310602064.000002C75883D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000A.00000002.310602064.000002C75883D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.310262590.000002C758813000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.309573636.000002C758845000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309560133.000002C758840000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.309573636.000002C758845000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309560133.000002C758840000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.287584222.000002C758831000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000A.00000002.310557127.000002C75883A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.287584222.000002C758831000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000A.00000003.309494671.000002C75884D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.310690980.000002C758852000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: svchost.exe, 0000001B.00000003.410355876.000001BC5677A000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.409785448.000001BC56791000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 0000001B.00000003.410355876.000001BC5677A000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.409785448.000001BC56791000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 0000001B.00000003.410707163.000001BC56788000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.410814184.000001BC56C19000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.410832016.000001BC56C02000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10001280 recvfrom,5_2_10001280
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,5_2_10027958
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,6_2_10027958

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 8.2.rundll32.exe.4dd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.32f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5610000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.regsvr32.exe.4960000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.loaddll32.exe.2b00000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.54e0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.2b00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.32f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.2b00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.rundll32.exe.4940000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.54b0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.rundll32.exe.4940000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5610000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.34c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.53b0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.2b30000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.loaddll32.exe.2b00000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.loaddll32.exe.2b00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4e00000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.loaddll32.exe.2b00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.rundll32.exe.4970000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.54b0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.regsvr32.exe.4960000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5380000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5640000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.loaddll32.exe.2b30000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.5380000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.loaddll32.exe.2b30000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.regsvr32.exe.4990000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.4dd0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.336582284.00000000054B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.336161253.0000000004DD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.296629194.0000000002B00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.336665007.0000000005610000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.336717142.0000000005641000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.680318843.00000000032F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.336600440.00000000054E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.296654820.0000000002B31000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.336482614.0000000005380000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.321734731.0000000002B00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.336517253.00000000053B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.336197242.0000000004E01000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.290395049.0000000004991000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.680592852.00000000034C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.339368070.0000000004971000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.339330671.0000000004940000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.299013072.0000000002B00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.299132771.0000000002B31000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.290320378.0000000004960000.00000040.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: nV5Wu77N8J.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6788 -ip 6788
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Oxcjjbulglczzu\tjxbcbc.cmd:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Oxcjjbulglczzu\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B4EFDD1_2_02B4EFDD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B546BD1_2_02B546BD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B40EBC1_2_02B40EBC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B3C6B81_2_02B3C6B8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B40ABA1_2_02B40ABA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B4A2A51_2_02B4A2A5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B31CA11_2_02B31CA1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B3BAA91_2_02B3BAA9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B43EAA1_2_02B43EAA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B536AA1_2_02B536AA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B4BEFD1_2_02B4BEFD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B4E4E51_2_02B4E4E5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B3F0E91_2_02B3F0E9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B500EF1_2_02B500EF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B53EE91_2_02B53EE9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B4CAD51_2_02B4CAD5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B4CCD91_2_02B4CCD9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B4D8DB1_2_02B4D8DB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B380C01_2_02B380C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B334311_2_02B33431
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B386361_2_02B38636
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B3B8201_2_02B3B820
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B488061_2_02B48806
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B49A011_2_02B49A01
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B47A0F1_2_02B47A0F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B520091_2_02B52009
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B4A4741_2_02B4A474
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B3A8711_2_02B3A871
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B4DC711_2_02B4DC71
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B3DE741_2_02B3DE74
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B37E791_2_02B37E79
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B370781_2_02B37078
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B4567B1_2_02B4567B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B50A641_2_02B50A64
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B44A661_2_02B44A66
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B532631_2_02B53263
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B4B2571_2_02B4B257
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B42E5D1_2_02B42E5D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B442441_2_02B44244
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B374421_2_02B37442
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B3E6401_2_02B3E640
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B4F8401_2_02B4F840
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B3A4451_2_02B3A445
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B4D1BC1_2_02B4D1BC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B517BD1_2_02B517BD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B357B81_2_02B357B8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B3BFBE1_2_02B3BFBE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B377A31_2_02B377A3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B48FAE1_2_02B48FAE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B507AA1_2_02B507AA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B321941_2_02B32194
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B43D851_2_02B43D85
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B40F861_2_02B40F86
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B461871_2_02B46187
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B3FB8E1_2_02B3FB8E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B3238C1_2_02B3238C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B49DF51_2_02B49DF5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B485FF1_2_02B485FF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B4E1F81_2_02B4E1F8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B355FF1_2_02B355FF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B34BFC1_2_02B34BFC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B467E61_2_02B467E6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B4C5D51_2_02B4C5D5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B3C5D81_2_02B3C5D8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B3E7DE1_2_02B3E7DE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B453331_2_02B45333
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B48D3D1_2_02B48D3D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B31F381_2_02B31F38
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B455151_2_02B45515
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B3670B1_2_02B3670B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B52B091_2_02B52B09
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B4AD081_2_02B4AD08
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B3EF0C1_2_02B3EF0C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B44F741_2_02B44F74
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B497741_2_02B49774
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B36B7A1_2_02B36B7A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B457791_2_02B45779
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B4017B1_2_02B4017B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B3F3691_2_02B3F369
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B4E9551_2_02B4E955
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B52D531_2_02B52D53
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B4FF581_2_02B4FF58
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B47D5B1_2_02B47D5B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B421421_2_02B42142
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B4654A1_2_02B4654A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02B3D14C1_2_02B3D14C
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_100291F65_2_100291F6
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1002F3785_2_1002F378
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_100403D75_2_100403D7
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1004250B5_2_1004250B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_100415575_2_10041557
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_100395A15_2_100395A1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1002F7845_2_1002F784
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1004091B5_2_1004091B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1002EACF5_2_1002EACF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1002FBA45_2_1002FBA4
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10035D965_2_10035D96
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_100291F66_2_100291F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1002F3786_2_1002F378
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_100403D76_2_100403D7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1004250B6_2_1004250B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_100415576_2_10041557
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_100395A16_2_100395A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1002F7846_2_1002F784
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1004091B6_2_1004091B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1002EACF6_2_1002EACF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1002FBA46_2_1002FBA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10035D966_2_10035D96
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10040E5F6_2_10040E5F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1002EFA46_2_1002EFA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04E14A668_2_04E14A66
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04E0DE748_2_04E0DE74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04E1B2578_2_04E1B257
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04E086368_2_04E08636
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04E220098_2_04E22009
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04E17A0F8_2_04E17A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04E185FF