Loading ...

Play interactive tourEdit tour

Windows Analysis Report hPJnda9rBy

Overview

General Information

Sample Name:hPJnda9rBy (renamed file extension from none to dll)
Analysis ID:553354
MD5:56c2941eb73ea59306cc9d2a6b15974c
SHA1:8d483f2069955ae7a3f7e70e6dafa2641cbf4a75
SHA256:7caa923401ec9a16969f0b37225b77cd16c6923abff2eda76f1fa9a35bff2879
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Changes security center settings (notifications, updates, antivirus, firewall)
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6396 cmdline: loaddll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6436 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6472 cmdline: rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 7132 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 6448 cmdline: regsvr32.exe /s C:\Users\user\Desktop\hPJnda9rBy.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • rundll32.exe (PID: 6552 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6524 cmdline: rundll32.exe C:\Users\user\Desktop\hPJnda9rBy.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 468 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vrptpiaqednpvbdv\iiexcwhjvlokrgr.var",pFqaCuAaxr MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6384 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Vrptpiaqednpvbdv\iiexcwhjvlokrgr.var",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 6752 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6396 -s 524 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6620 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 6656 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6396 -ip 6396 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6868 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7080 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7124 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 988 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6080 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 3688 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6300 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 1704 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 6276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 1056 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6724 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2188 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6412 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000000.249579927.0000000000D40000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000006.00000002.292238203.00000000050F0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000004.00000002.283401737.0000000004C70000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000000.00000000.249666455.0000000000EB1000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000006.00000002.292440539.0000000005360000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 24 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.loaddll32.exe.d40000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              6.2.rundll32.exe.5200000.4.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                3.2.regsvr32.exe.47b0000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  6.2.rundll32.exe.5360000.6.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    6.2.rundll32.exe.5390000.7.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 39 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6436, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",#1, ProcessId: 6472

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.0.loaddll32.exe.eb0000.4.unpackMalware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: hPJnda9rBy.dllVirustotal: Detection: 18%Perma Link
                      Source: hPJnda9rBy.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: Binary string: bcrypt.pdbi* source: WerFault.exe, 0000000B.00000003.259908553.0000000005718000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259828510.0000000005718000.00000004.00000040.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.259908553.0000000005718000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259828510.0000000005718000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.259884177.0000000005710000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.259805207.0000000005041000.00000004.00000001.sdmp
                      Source: Binary string: Kernel.Appcore.pdb- source: WerFault.exe, 0000000B.00000003.259884177.0000000005710000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.255802261.0000000004D2A000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.254847683.0000000003351000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.254740092.0000000004D25000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.259688584.0000000004D2A000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.255222762.0000000003351000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.259805207.0000000005041000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.259908553.0000000005718000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259828510.0000000005718000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.259812305.0000000005712000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.259908553.0000000005718000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259828510.0000000005718000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.259805207.0000000005041000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdbc* source: WerFault.exe, 0000000B.00000003.259908553.0000000005718000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259828510.0000000005718000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.259805207.0000000005041000.00000004.00000001.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.259908553.0000000005718000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259828510.0000000005718000.00000004.00000040.sdmp
                      Source: Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000B.00000002.272220890.0000000002D32000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb_* source: WerFault.exe, 0000000B.00000003.259908553.0000000005718000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259828510.0000000005718000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.259812305.0000000005712000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259900857.0000000005715000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.255714857.000000000334B000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.254840837.000000000334B000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.259805207.0000000005041000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000B.00000003.259812305.0000000005712000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259900857.0000000005715000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.259908553.0000000005718000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259828510.0000000005718000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.259805207.0000000005041000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb?* source: WerFault.exe, 0000000B.00000003.259908553.0000000005718000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259828510.0000000005718000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.259805207.0000000005041000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.259884177.0000000005710000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.259884177.0000000005710000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.259805207.0000000005041000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.259884177.0000000005710000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.255236401.0000000003357000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.255468472.0000000003357000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.254853748.0000000003357000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.259805207.0000000005041000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.255275842.0000000003357000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.259908553.0000000005718000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259828510.0000000005718000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000B.00000003.259812305.0000000005712000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.255236401.0000000003357000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.255468472.0000000003357000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.254853748.0000000003357000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.255275842.0000000003357000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.259908553.0000000005718000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259828510.0000000005718000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.259884177.0000000005710000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.259908553.0000000005718000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259828510.0000000005718000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.259805207.0000000005041000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.254847683.0000000003351000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.255222762.0000000003351000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.259908553.0000000005718000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259828510.0000000005718000.00000004.00000040.sdmp
                      Source: Binary string: ws2_32.pdbe* source: WerFault.exe, 0000000B.00000003.259908553.0000000005718000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259828510.0000000005718000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.259805207.0000000005041000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.259805207.0000000005041000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdbQ* source: WerFault.exe, 0000000B.00000003.259908553.0000000005718000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259828510.0000000005718000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.255714857.000000000334B000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.254840837.000000000334B000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.5:49775 -> 45.138.98.34:80
                      Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.5:49776 -> 69.16.218.101:8080
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.16.218.101 144Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.138.98.34 80Jump to behavior
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 45.138.98.34:80
                      Source: Malware configuration extractorIPs: 69.16.218.101:8080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.168.220:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 104.131.62.48:8080
                      Source: Malware configuration extractorIPs: 62.171.178.147:8080
                      Source: Malware configuration extractorIPs: 217.182.143.207:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 210.57.209.142:8080
                      Source: Malware configuration extractorIPs: 159.69.237.188:443
                      Source: Malware configuration extractorIPs: 116.124.128.206:8080
                      Source: Malware configuration extractorIPs: 128.199.192.135:8080
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Malware configuration extractorIPs: 185.148.168.15:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 190.90.233.66:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: global trafficTCP traffic: 192.168.2.5:49776 -> 69.16.218.101:8080
                      Source: unknownNetwork traffic detected: IP country count 12
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: svchost.exe, 00000026.00000003.574739165.0000027012DB4000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000026.00000003.574739165.0000027012DB4000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 0000000C.00000002.607017067.000002737A489000.00000004.00000001.sdmp, svchost.exe, 00000026.00000002.592616666.0000027012D00000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 0000000C.00000002.606870771.000002737A416000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: 77EC63BDA74BD0D0E0426DC8F80085060.22.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: svchost.exe, 00000026.00000003.568698813.0000027012D64000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.568882356.0000027012D96000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.568927843.0000027013202000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 0000000C.00000002.606696727.0000027374EAD000.00000004.00000001.sdmpString found in binary or memory: http://schemas.mic
                      Source: svchost.exe, 0000000C.00000002.606696727.0000027374EAD000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration
                      Source: svchost.exe, 0000000C.00000002.606696727.0000027374EAD000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration/Enu
                      Source: Amcache.hve.11.drString found in binary or memory: http://upx.sf.net
                      Source: svchost.exe, 00000011.00000002.310359378.000001ABA1013000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 0000000E.00000002.762464566.0000028F9183E000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 0000000E.00000002.762464566.0000028F9183E000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 0000000E.00000002.762464566.0000028F9183E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 00000011.00000003.309899590.000001ABA1051000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 0000000E.00000002.762464566.0000028F9183E000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000E.00000002.762464566.0000028F9183E000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000011.00000003.309922174.000001ABA104A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.310398438.000001ABA1029000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000011.00000002.310436107.000001ABA104C000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.309922174.000001ABA104A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 00000011.00000003.309899590.000001ABA1051000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 00000011.00000002.310411773.000001ABA103E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 00000011.00000002.310436107.000001ABA104C000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.309922174.000001ABA104A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 00000011.00000003.309854705.000001ABA1069000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.310469805.000001ABA106B000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                      Source: svchost.exe, 00000011.00000003.309899590.000001ABA1051000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 00000011.00000002.310398438.000001ABA1029000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 00000011.00000002.310398438.000001ABA1029000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000011.00000002.310436107.000001ABA104C000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.309922174.000001ABA104A000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 00000011.00000003.309899590.000001ABA1051000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.283286452.000001ABA1030000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 00000011.00000002.310411773.000001ABA103E000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 00000011.00000003.309899590.000001ABA1051000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 00000011.00000003.309899590.000001ABA1051000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 00000011.00000003.309899590.000001ABA1051000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 00000011.00000002.310398438.000001ABA1029000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 00000011.00000003.309962842.000001ABA1041000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.310429098.000001ABA1043000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.309988764.000001ABA1042000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 00000011.00000003.283286452.000001ABA1030000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Stops/
                      Source: svchost.exe, 00000011.00000003.309962842.000001ABA1041000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.310429098.000001ABA1043000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.309988764.000001ABA1042000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 00000011.00000003.309899590.000001ABA1051000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 00000011.00000002.310436107.000001ABA104C000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.309962842.000001ABA1041000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.309922174.000001ABA104A000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 00000011.00000003.283286452.000001ABA1030000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
                      Source: svchost.exe, 00000026.00000003.568698813.0000027012D64000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.568882356.0000027012D96000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.568927843.0000027013202000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000011.00000003.309922174.000001ABA104A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 00000011.00000003.309922174.000001ABA104A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 00000011.00000002.310436107.000001ABA104C000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.309922174.000001ABA104A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 00000011.00000002.310463785.000001ABA1066000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 00000011.00000003.309899590.000001ABA1051000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 00000011.00000002.310411773.000001ABA103E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.283286452.000001ABA1030000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000011.00000003.283286452.000001ABA1030000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 00000011.00000003.283286452.000001ABA1030000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=
                      Source: svchost.exe, 00000011.00000002.310411773.000001ABA103E000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 00000011.00000002.310411773.000001ABA103E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.310359378.000001ABA1013000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 00000011.00000003.283286452.000001ABA1030000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 00000011.00000003.309981298.000001ABA1046000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.309962842.000001ABA1041000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 00000011.00000003.283286452.000001ABA1030000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 00000011.00000003.283286452.000001ABA1030000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.310002897.000001ABA103A000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 00000011.00000002.310398438.000001ABA1029000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: svchost.exe, 00000026.00000003.568698813.0000027012D64000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.568882356.0000027012D96000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.568927843.0000027013202000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000026.00000003.568698813.0000027012D64000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.568882356.0000027012D96000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.568927843.0000027013202000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000026.00000003.569759353.0000027012D84000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.569911335.0000027012DA3000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.569895007.0000027012DBA000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10001280 recvfrom,3_2_10001280
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,3_2_10027958
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,4_2_10027958
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,15_2_10027958

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d40000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.5200000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.47b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.5360000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.5390000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.48f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.5360000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d40000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.4f20000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.4f20000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4ca0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.5230000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.2ab0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.eb0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.50f0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.4da0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4ad0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.4ec0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.4ef0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d40000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.eb0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.47b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.45e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4c70000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4aa0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.4ec0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.2f60000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.53c0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d40000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.2f30000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.4da0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.5150000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d40000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.5200000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.4dd0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.2f30000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.4f50000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.2ab0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d40000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.50f0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4aa0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.eb0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.53c0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.249579927.0000000000D40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.292238203.00000000050F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.283401737.0000000004C70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.249666455.0000000000EB1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.292440539.0000000005360000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.292882371.0000000004DA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.292503101.00000000053C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.292286268.0000000005151000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.291899393.0000000004AA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.292382538.0000000005231000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.291926283.0000000004AD1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.292911557.0000000004DD1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.273369713.0000000000EB1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.240583182.00000000047B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.240663709.00000000048F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.283457312.0000000004CA1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.292454173.0000000002F30000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.296105740.0000000002AB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.293034859.0000000004F20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.292508980.0000000002F61000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.248107963.0000000000EB1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.273136577.0000000000D40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.293001920.0000000004EF1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.247589289.0000000000D40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.293065921.0000000004F51000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.292962848.0000000004EC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.296341429.00000000045E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.292348767.0000000005200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.292473375.0000000005391000.00000020.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: hPJnda9rBy.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6396 -ip 6396
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Vrptpiaqednpvbdv\iiexcwhjvlokrgr.var:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Vrptpiaqednpvbdv\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00ECEFDD0_2_00ECEFDD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EBF0E90_2_00EBF0E9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00ED00EF0_2_00ED00EF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00ED3EE90_2_00ED3EE9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00ECE4E50_2_00ECE4E5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00ECBEFD0_2_00ECBEFD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EB80C00_2_00EB80C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00ECCCD90_2_00ECCCD9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00ECD8DB0_2_00ECD8DB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00ECCAD50_2_00ECCAD5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EBBAA90_2_00EBBAA9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EC3EAA0_2_00EC3EAA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00ED36AA0_2_00ED36AA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00ECA2A50_2_00ECA2A5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EB1CA10_2_00EB1CA1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00ED46BD0_2_00ED46BD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EC0EBC0_2_00EC0EBC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EBC6B80_2_00EBC6B8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EC0ABA0_2_00EC0ABA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00ED0A640_2_00ED0A64
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EC4A660_2_00EC4A66
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00ED32630_2_00ED3263
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EB7E790_2_00EB7E79
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EB70780_2_00EB7078
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EC567B0_2_00EC567B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00ECA4740_2_00ECA474
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EBA8710_2_00EBA871
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00ECDC710_2_00ECDC71
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EBDE740_2_00EBDE74
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EC42440_2_00EC4244
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EB74420_2_00EB7442
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EBE6400_2_00EBE640
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00ECF8400_2_00ECF840
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EBA4450_2_00EBA445
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EC2E5D0_2_00EC2E5D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00ECB2570_2_00ECB257
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EBB8200_2_00EBB820
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EB34310_2_00EB3431
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EB86360_2_00EB8636
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EC7A0F0_2_00EC7A0F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00ED20090_2_00ED2009
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EC88060_2_00EC8806
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EC9A010_2_00EC9A01
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EC67E60_2_00EC67E6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EC85FF0_2_00EC85FF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00ECE1F80_2_00ECE1F8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EB55FF0_2_00EB55FF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EC27F90_2_00EC27F9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EB4BFC0_2_00EB4BFC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EC07F40_2_00EC07F4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EC9DF50_2_00EC9DF5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00ECFBDE0_2_00ECFBDE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EBC5D80_2_00EBC5D8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EBE7DE0_2_00EBE7DE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00ECC5D50_2_00ECC5D5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EC8FAE0_2_00EC8FAE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00ED07AA0_2_00ED07AA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EB77A30_2_00EB77A3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00ECD1BC0_2_00ECD1BC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00ED17BD0_2_00ED17BD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EB57B80_2_00EB57B8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EBBFBE0_2_00EBBFBE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EBFB8E0_2_00EBFB8E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EB238C0_2_00EB238C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EC3D850_2_00EC3D85
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EC0F860_2_00EC0F86
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EC61870_2_00EC6187
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EB21940_2_00EB2194
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EBF3690_2_00EBF369
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EB6B7A0_2_00EB6B7A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EC57790_2_00EC5779
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EC437A0_2_00EC437A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EC017B0_2_00EC017B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00EC4F740_2_00EC4F74