Loading ...

Play interactive tourEdit tour

Windows Analysis Report nIQCsrVbbw.dll

Overview

General Information

Sample Name:nIQCsrVbbw.dll
Analysis ID:553359
MD5:06b75d254c6844f78c7d7eefa5b1243e
SHA1:af4b4dccf317dbeeab97868a9514a7c9e496c8d3
SHA256:b0e46325319e75a2490a73045a60030961851c07d266df73d7e048799e133ec7
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7120 cmdline: loaddll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 4892 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5580 cmdline: rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 7040 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 3100 cmdline: regsvr32.exe /s C:\Users\user\Desktop\nIQCsrVbbw.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • rundll32.exe (PID: 6716 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6504 cmdline: rundll32.exe C:\Users\user\Desktop\nIQCsrVbbw.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 3604 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gwwrzypqggddo\faunqcxbnkzdy.fxb",DpwIzoKqIHOYx MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 3396 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gwwrzypqggddo\faunqcxbnkzdy.fxb",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 5444 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7120 -s 512 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 4000 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 4664 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 7120 -ip 7120 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 5884 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2504 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7076 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6432 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.692416013.00000000054F0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000005.00000002.318376552.0000000004F91000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      0000000A.00000002.322328065.0000000002D20000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        0000000B.00000002.692912261.0000000005AA0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          0000000B.00000002.693049451.0000000005B80000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 55 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.rundll32.exe.4d20000.4.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              11.2.rundll32.exe.5d80000.18.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                7.2.rundll32.exe.4d80000.4.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  11.2.rundll32.exe.5aa0000.14.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    7.2.rundll32.exe.4ee0000.6.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 85 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4892, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1, ProcessId: 5580

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 4.2.rundll32.exe.2d20000.0.raw.unpackMalware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: nIQCsrVbbw.dllVirustotal: Detection: 15%Perma Link
                      Source: nIQCsrVbbw.dllReversingLabs: Detection: 16%
                      Antivirus detection for URL or domainShow sources
                      Source: https://45.138.98.34:80/pzThWGIkVuQKGXKeHBqdbAz#Avira URL Cloud: Label: malware
                      Source: https://45.138.98.34/Avira URL Cloud: Label: malware
                      Source: https://45.138.98.34:80/pzThWGIkVuQKGXKeHBqdbAzAvira URL Cloud: Label: malware
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: https://45.138.98.34/Virustotal: Detection: 10%Perma Link
                      Source: nIQCsrVbbw.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: Binary string: propsys.pdbT source: WerFault.exe, 0000000C.00000003.327749292.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.327800302.00000000050E8000.00000004.00000040.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000C.00000003.327749292.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.327800302.00000000050E8000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdbN source: WerFault.exe, 0000000C.00000003.327749292.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.327800302.00000000050E8000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000C.00000003.327749292.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.327800302.00000000050E8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000C.00000003.327732640.0000000004FF1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000C.00000003.323068869.00000000031B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.322735848.0000000004CD5000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.327732640.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.322759628.00000000031B1000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000C.00000003.327749292.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.327800302.00000000050E8000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000C.00000003.327739778.00000000050E2000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000C.00000003.327749292.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.327800302.00000000050E8000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000C.00000003.327732640.0000000004FF1000.00000004.00000001.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000C.00000003.327732640.0000000004FF1000.00000004.00000001.sdmp
                      Source: Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000C.00000002.339350125.0000000002CD2000.00000004.00000001.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000C.00000003.327749292.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.327800302.00000000050E8000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000C.00000003.327792469.00000000050E5000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.327739778.00000000050E2000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000C.00000003.323389840.00000000031AB000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.327732640.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.322753338.00000000031AB000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000C.00000003.327792469.00000000050E5000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.327739778.00000000050E2000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000C.00000003.327749292.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.327800302.00000000050E8000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdbj source: WerFault.exe, 0000000C.00000003.327749292.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.327800302.00000000050E8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000C.00000003.327732640.0000000004FF1000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000C.00000003.327732640.0000000004FF1000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000C.00000003.327786271.00000000050E0000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000C.00000003.327786271.00000000050E0000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000C.00000003.327732640.0000000004FF1000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000C.00000003.327786271.00000000050E0000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdbv source: WerFault.exe, 0000000C.00000003.327749292.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.327800302.00000000050E8000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000C.00000003.322765718.00000000031B7000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.327732640.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.322971705.00000000031B7000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000C.00000003.327749292.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.327800302.00000000050E8000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000C.00000003.327739778.00000000050E2000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000C.00000003.322765718.00000000031B7000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.322971705.00000000031B7000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000C.00000003.327786271.00000000050E0000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000C.00000003.327786271.00000000050E0000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000C.00000003.327732640.0000000004FF1000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000C.00000003.327749292.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.327800302.00000000050E8000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb, source: WerFault.exe, 0000000C.00000003.327749292.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.327800302.00000000050E8000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000C.00000003.323068869.00000000031B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.322759628.00000000031B1000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000C.00000003.327749292.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.327800302.00000000050E8000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000C.00000003.327732640.0000000004FF1000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000C.00000003.327732640.0000000004FF1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000C.00000003.323389840.00000000031AB000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.322753338.00000000031AB000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.3:49743 -> 45.138.98.34:80
                      Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.3:49744 -> 69.16.218.101:8080
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.16.218.101 144
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.138.98.34 80
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 45.138.98.34:80
                      Source: Malware configuration extractorIPs: 69.16.218.101:8080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.168.220:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 104.131.62.48:8080
                      Source: Malware configuration extractorIPs: 62.171.178.147:8080
                      Source: Malware configuration extractorIPs: 217.182.143.207:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 210.57.209.142:8080
                      Source: Malware configuration extractorIPs: 159.69.237.188:443
                      Source: Malware configuration extractorIPs: 116.124.128.206:8080
                      Source: Malware configuration extractorIPs: 128.199.192.135:8080
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Malware configuration extractorIPs: 185.148.168.15:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 190.90.233.66:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 104.131.62.48 104.131.62.48
                      Source: global trafficTCP traffic: 192.168.2.3:49749 -> 69.16.218.101:8080
                      Source: unknownNetwork traffic detected: IP country count 11
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: svchost.exe, 00000016.00000003.431804996.000001641CD85000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000016.00000003.431804996.000001641CD85000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000016.00000003.431818578.000001641CD96000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.431804996.000001641CD85000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000016.00000003.431818578.000001641CD96000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.431804996.000001641CD85000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: rundll32.exe, 0000000B.00000002.691887680.000000000341F000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.357629848.000000000341F000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.448427231.000001641CD00000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000016.00000002.448280014.000001641C4EF000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: rundll32.exe, 0000000B.00000003.354490654.0000000005C43000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000002.691887680.000000000341F000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.357629848.000000000341F000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
                      Source: rundll32.exe, 0000000B.00000003.354490654.0000000005C43000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/.R
                      Source: rundll32.exe, 0000000B.00000002.691823696.00000000033D6000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.357685602.00000000033D6000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                      Source: rundll32.exe, 0000000B.00000002.691887680.000000000341F000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.357629848.000000000341F000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.11.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: rundll32.exe, 0000000B.00000003.354490654.0000000005C43000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000002.691823696.00000000033D6000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.355162517.0000000003459000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000002.691915726.0000000003480000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.357685602.00000000033D6000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.355348418.000000000347F000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.357547662.0000000003480000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b75da39e41bf0
                      Source: rundll32.exe, 0000000B.00000002.691887680.000000000341F000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.357629848.000000000341F000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabUW
                      Source: svchost.exe, 00000016.00000003.424406324.000001641CD5D000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.424442797.000001641CD80000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.424316902.000001641CD70000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.424335971.000001641CD80000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: Amcache.hve.12.drString found in binary or memory: http://upx.sf.net
                      Source: rundll32.exe, 0000000B.00000002.691823696.00000000033D6000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.357685602.00000000033D6000.00000004.00000001.sdmpString found in binary or memory: https://45.138.98.34/
                      Source: rundll32.exe, 0000000B.00000002.691823696.00000000033D6000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.357685602.00000000033D6000.00000004.00000001.sdmpString found in binary or memory: https://45.138.98.34:80/pzThWGIkVuQKGXKeHBqdbAz
                      Source: rundll32.exe, 0000000B.00000002.691823696.00000000033D6000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.357685602.00000000033D6000.00000004.00000001.sdmpString found in binary or memory: https://45.138.98.34:80/pzThWGIkVuQKGXKeHBqdbAz#
                      Source: rundll32.exe, 0000000B.00000002.691823696.00000000033D6000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.357685602.00000000033D6000.00000004.00000001.sdmpString found in binary or memory: https://69.16.218.101/
                      Source: rundll32.exe, 0000000B.00000002.691823696.00000000033D6000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.357685602.00000000033D6000.00000004.00000001.sdmpString found in binary or memory: https://69.16.218.101/X.
                      Source: rundll32.exe, 0000000B.00000002.691823696.00000000033D6000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.357685602.00000000033D6000.00000004.00000001.sdmpString found in binary or memory: https://69.16.218.101:8080/GBwdsVvnKKEsOdMLrBySKnfjLZwMjZtlJDuPNHQIXAc
                      Source: rundll32.exe, 0000000B.00000002.691823696.00000000033D6000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.357685602.00000000033D6000.00000004.00000001.sdmpString found in binary or memory: https://69.16.218.101:8080/GBwdsVvnKKEsOdMLrBySKnfjLZwMjZtlJDuPNHQIXAc1
                      Source: rundll32.exe, 0000000B.00000003.357685602.00000000033D6000.00000004.00000001.sdmpString found in binary or memory: https://69.16.218.101:8080/GBwdsVvnKKEsOdMLrBySKnfjLZwMjZtlJDuPNHQIXAcDk6
                      Source: rundll32.exe, 0000000B.00000002.691823696.00000000033D6000.00000004.00000001.sdmpString found in binary or memory: https://69.16.218.101:8080/GBwdsVvnKKEsOdMLrBySKnfjLZwMjZtlJDuPNHQIXAcDk7
                      Source: rundll32.exe, 0000000B.00000002.691823696.00000000033D6000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.357685602.00000000033D6000.00000004.00000001.sdmpString found in binary or memory: https://69.16.218.101:8080/GBwdsVvnKKEsOdMLrBySKnfjLZwMjZtlJDuPNHQIXAcY
                      Source: svchost.exe, 00000016.00000003.424406324.000001641CD5D000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.424442797.000001641CD80000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.424316902.000001641CD70000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.424335971.000001641CD80000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000016.00000003.424406324.000001641CD5D000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.424442797.000001641CD80000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.424316902.000001641CD70000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.424335971.000001641CD80000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000016.00000003.424406324.000001641CD5D000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.424442797.000001641CD80000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.424316902.000001641CD70000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.424335971.000001641CD80000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000016.00000003.425939891.000001641CDAB000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.425986683.000001641CD7B000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.425998694.000001641CD94000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.426066267.000001641D202000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.425960822.000001641CDAB000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10001280 recvfrom,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 5.2.rundll32.exe.4d20000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.5d80000.18.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4d80000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.5aa0000.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4ee0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.4c40000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4f60000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.4c70000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.5bb0000.17.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.loaddll32.exe.2980000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4ee0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4480000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.5680000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.56b0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4580000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.2980000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.2d20000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.52b0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2d20000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.56b0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.5aa0000.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4f40000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.51f0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4580000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.5d80000.18.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2e20000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5320000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.27a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.5990000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.5b80000.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.2eb0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.3280000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.54f0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5320000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.5db0000.19.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.59c0000.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.4c40000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.5410000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4f70000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.6000000.20.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.5410000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.52e0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.6000000.20.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4c40000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.loaddll32.exe.27a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5350000.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4f00000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4f40000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.2d20000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.5ad0000.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.3280000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4d50000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.loaddll32.exe.27a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.46c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4d20000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.dd0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4c50000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.51c0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4c80000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4f90000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4d80000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.dd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.52b0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4700000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4c70000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4c50000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2d20000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.5650000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.6030000.21.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4c40000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4f10000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4f00000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4f30000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.27a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.51c0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.2eb0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4f60000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4db0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.5650000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.54f0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.4930000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.5b80000.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.5440000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.loaddll32.exe.27a0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.56e0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.32b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.loaddll32.exe.2980000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.loaddll32.exe.27a0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.5520000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.5990000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000B.00000002.692416013.00000000054F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.318376552.0000000004F91000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.322328065.0000000002D20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.692912261.0000000005AA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.693049451.0000000005B80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.692792483.0000000005990000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.319220718.0000000004C50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.340184392.0000000002981000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.313088625.00000000027A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.692538587.0000000005681000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.692564390.00000000056B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.304136320.0000000004931000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.318188927.0000000004C71000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.692047710.0000000004C71000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.313923443.00000000027A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.319469836.0000000004F11000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.692594246.00000000056E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.318296344.0000000004F00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.322840736.0000000004481000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.693077342.0000000005BB1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.340127468.00000000027A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.318566617.0000000005320000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.313015794.0000000002D20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.318521400.00000000051F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.317820038.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.693386084.0000000006031000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.318320563.0000000004F31000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.692022013.0000000004C40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.693354364.0000000006000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.319637287.00000000052B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.318160754.0000000004C40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.318877954.0000000004580000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.313073617.0000000002E21000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.692503192.0000000005650000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.318025809.0000000004701000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.303858298.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.691678754.00000000032B1000.00000020.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.318347085.0000000004F60000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.692337885.0000000005410000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.319268493.0000000004C81000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.318598439.0000000005351000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.693231899.0000000005D80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.319350113.0000000004DB1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.319315094.0000000004D80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.692973628.0000000005AD1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.319560099.0000000004F71000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.314281816.0000000002981000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.692836661.00000000059C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.691624077.0000000003280000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.318240143.0000000004D51000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.692363013.0000000005441000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.693267062.0000000005DB1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.319417804.0000000004EE0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.318218247.0000000004D20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.313185864.0000000002981000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.318476243.00000000051C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.319512030.0000000004F40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.319678344.00000000052E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.319057129.00000000046C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.692450211.0000000005521000.00000020.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: nIQCsrVbbw.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 7120 -ip 7120
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Gwwrzypqggddo\faunqcxbnkzdy.fxb:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Gwwrzypqggddo\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0299EFDD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0298C6B8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02990ABA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02990EBC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_029A46BD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_029A36AA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0298BAA9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02993EAA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02981CA1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0299A2A5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0299CCD9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0299D8DB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0299CAD5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_029880C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0299BEFD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0298F0E9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_029A3EE9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_029A00EF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0299E4E5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_029A2009
                      Source: C:\Windows\System32\loaddll32.e