Loading ...

Play interactive tourEdit tour

Windows Analysis Report ALNgwfVtrB

Overview

General Information

Sample Name:ALNgwfVtrB (renamed file extension from none to dll)
Analysis ID:553377
MD5:61308ba77d051e4e76e532f9709635e0
SHA1:95d2cd6c7be346d29735ed970d3f373d37b7e13f
SHA256:bd2c1b86de45c3e9d0d7c85322228c3512ce2c041765d95bb613cdf12647bea9
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6764 cmdline: loaddll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 4616 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6048 cmdline: rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6980 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • rundll32.exe (PID: 4668 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mhgwckn\ikgetkts.aey",QTEnBIyMIuE MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
            • rundll32.exe (PID: 4584 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mhgwckn\ikgetkts.aey",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 3408 cmdline: regsvr32.exe /s C:\Users\user\Desktop\ALNgwfVtrB.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • rundll32.exe (PID: 400 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6800 cmdline: rundll32.exe C:\Users\user\Desktop\ALNgwfVtrB.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 6496 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6764 -s 528 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 5264 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4588 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 4680 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 164 -p 6764 -ip 6764 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 5688 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5796 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4532 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2932 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.388319825.0000000005640000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000006.00000002.388061342.00000000053B1000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000006.00000002.388938400.0000000005A60000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000005.00000002.425302680.00000000054F1000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000006.00000002.388421865.00000000056A0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 31 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.rundll32.exe.5200000.2.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              6.2.rundll32.exe.5a90000.13.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                5.2.rundll32.exe.54c0000.4.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  4.2.rundll32.exe.46a0000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    6.2.rundll32.exe.53b0000.3.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 49 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4616, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1, ProcessId: 6048

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.loaddll32.exe.b50000.0.raw.unpackMalware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: ALNgwfVtrB.dllVirustotal: Detection: 15%Perma Link
                      Source: ALNgwfVtrB.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.386248432.0000000001084000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386451052.00000000008F1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386643870.00000000008F1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.387103473.0000000001089000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.390522998.0000000001122000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.390522998.0000000001122000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390639136.0000000001125000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.387043294.00000000008EB000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386443931.00000000008EB000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000009.00000003.390522998.0000000001122000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390639136.0000000001125000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdbQk source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.390627336.0000000001120000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb6g source: WerFault.exe, 00000009.00000003.390627336.0000000001120000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdbok.zD source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb!kXz source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.390627336.0000000001120000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
                      Source: Binary string: iphlpapi.pdb?k~z source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.390627336.0000000001120000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.386458009.00000000008F7000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386707582.00000000008F7000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386650391.00000000008F7000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386804457.00000000008F7000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbk source: WerFault.exe, 00000009.00000003.390522998.0000000001122000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.386458009.00000000008F7000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386707582.00000000008F7000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386650391.00000000008F7000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386804457.00000000008F7000.00000004.00000001.sdmp
                      Source: Binary string: winspool.pdb9kpz source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.390627336.0000000001120000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.390627336.0000000001120000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
                      Source: Binary string: ws2_32.pdb]k source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.386451052.00000000008F1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386643870.00000000008F1000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdbuk4zl source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
                      Source: Binary string: a/pjr2pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000009.00000002.401712125.0000000000672000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.387043294.00000000008EB000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386443931.00000000008EB000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.6:49727 -> 45.138.98.34:80
                      Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.6:49728 -> 69.16.218.101:8080
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.16.218.101 144Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.138.98.34 80Jump to behavior
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 45.138.98.34:80
                      Source: Malware configuration extractorIPs: 69.16.218.101:8080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.168.220:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 104.131.62.48:8080
                      Source: Malware configuration extractorIPs: 62.171.178.147:8080
                      Source: Malware configuration extractorIPs: 217.182.143.207:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 210.57.209.142:8080
                      Source: Malware configuration extractorIPs: 159.69.237.188:443
                      Source: Malware configuration extractorIPs: 116.124.128.206:8080
                      Source: Malware configuration extractorIPs: 128.199.192.135:8080
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Malware configuration extractorIPs: 185.148.168.15:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 190.90.233.66:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: global trafficTCP traffic: 192.168.2.6:49728 -> 69.16.218.101:8080
                      Source: unknownNetwork traffic detected: IP country count 12
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: svchost.exe, 00000015.00000003.511379311.000001E0BD5A2000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000015.00000003.511379311.000001E0BD5A2000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000015.00000003.511468259.000001E0BD5B3000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.511379311.000001E0BD5A2000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000015.00000003.511468259.000001E0BD5B3000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.511379311.000001E0BD5A2000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000015.00000003.511379311.000001E0BD5A2000.00000004.00000001.sdmpString found in binary or memory: trings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"leve
                      Source: svchost.exe, 00000015.00000003.511379311.000001E0BD5A2000.00000004.00000001.sdmpString found in binary or memory: trings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"leve
                      Source: svchost.exe, 00000015.00000002.528158834.000001E0BD500000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.863748399.000002E116062000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: 77EC63BDA74BD0D0E0426DC8F80085060.11.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: svchost.exe, 00000015.00000003.503188635.000001E0BD571000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: Amcache.hve.9.drString found in binary or memory: http://upx.sf.net
                      Source: svchost.exe, 00000015.00000003.503188635.000001E0BD571000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000015.00000003.503188635.000001E0BD571000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000015.00000003.503188635.000001E0BD571000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000015.00000003.504317499.000001E0BD583000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.504779704.000001E0BDA19000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.504403415.000001E0BD594000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.504445076.000001E0BD5A5000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10001280 recvfrom,3_2_10001280
                      Source: loaddll32.exe, 00000000.00000000.380317596.0000000000D6B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 5.2.rundll32.exe.5200000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.5a90000.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.54c0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.46a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.53b0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.b50000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.5490000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.b50000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.b50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.56a0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.5640000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.46a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.b50000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d30000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.56d0000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.55d0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.5460000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5600000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.53c0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5200000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.b50000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.46d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.3080000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.5930000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.5640000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5630000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.4020000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.5900000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.55a0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.55a0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.5380000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.5380000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.d30000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.33d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.56a0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.4e60000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5600000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.33b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.5670000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.4020000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.54c0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.3080000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.3660000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.33d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.54f0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.4a10000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.5900000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.5a60000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.33b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.5a60000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.b50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.4050000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d30000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.5460000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000002.388319825.0000000005640000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.388061342.00000000053B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.388938400.0000000005A60000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.425302680.00000000054F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.388421865.00000000056A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.421593787.0000000004051000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.388494502.00000000056D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.388374896.0000000005671000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.424744123.00000000033B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.390300102.0000000004A11000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.388137915.0000000005460000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.425412117.0000000005600000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.388743358.0000000005900000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.425380885.00000000055D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.421559907.0000000004020000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.378920575.0000000000B50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.387667842.0000000004E61000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.380234706.0000000000B50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.389941280.0000000003080000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.377076576.00000000046D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.380280063.0000000000D31000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.425231298.00000000053C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.403315549.0000000000B50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.387995858.0000000005380000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.379032722.0000000000D31000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.389038479.0000000005A91000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.425055302.0000000005200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.376980438.00000000046A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.425273355.00000000054C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.425444879.0000000005631000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.388835673.0000000005931000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.424828975.0000000003661000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.387132452.00000000033D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.388209292.0000000005491000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.425344500.00000000055A0000.00000040.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: ALNgwfVtrB.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 164 -p 6764 -ip 6764
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Mhgwckn\ikgetkts.aey:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Sqvvzhazj\Jump to behavior
                      <
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4EFDD0_2_00D4EFDD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4CAD50_2_00D4CAD5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4CCD90_2_00D4CCD9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4D8DB0_2_00D4D8DB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D380C00_2_00D380C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4BEFD0_2_00D4BEFD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4E4E50_2_00D4E4E5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D3F0E90_2_00D3F0E9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D500EF0_2_00D500EF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D53EE90_2_00D53EE9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D546BD0_2_00D546BD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D40EBC0_2_00D40EBC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D3C6B80_2_00D3C6B8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D40ABA0_2_00D40ABA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4A2A50_2_00D4A2A5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D31CA10_2_00D31CA1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D3BAA90_2_00D3BAA9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D43EAA0_2_00D43EAA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D536AA0_2_00D536AA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4B2570_2_00D4B257
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D42E5D0_2_00D42E5D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D442440_2_00D44244
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D374420_2_00D37442
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D3E6400_2_00D3E640
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4F8400_2_00D4F840
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D3A4450_2_00D3A445
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4A4740_2_00D4A474
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D3A8710_2_00D3A871
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4DC710_2_00D4DC71
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D3DE740_2_00D3DE74
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D37E790_2_00D37E79
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D370780_2_00D37078
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4567B0_2_00D4567B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D50A640_2_00D50A64
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D44A660_2_00D44A66
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D532630_2_00D53263
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D488060_2_00D48806
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D49A010_2_00D49A01
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D47A0F0_2_00D47A0F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D520090_2_00D52009
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D334310_2_00D33431
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D386360_2_00D38636
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D3B8200_2_00D3B820
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4C5D50_2_00D4C5D5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4FBDE0_2_00D4FBDE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D3C5D80_2_00D3C5D8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D3E7DE0_2_00D3E7DE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D407F40_2_00D407F4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D49DF50_2_00D49DF5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D485FF0_2_00D485FF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4E1F80_2_00D4E1F8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D355FF0_2_00D355FF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D427F90_2_00D427F9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D34BFC0_2_00D34BFC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D467E60_2_00D467E6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D321940_2_00D32194
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D43D850_2_00D43D85
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D40F860_2_00D40F86
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D461870_2_00D46187
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D3FB8E0_2_00D3FB8E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D3238C0_2_00D3238C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4D1BC0_2_00D4D1BC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D517BD0_2_00D517BD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D357B80_2_00D357B8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D3BFBE0_2_00D3BFBE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D377A30_2_00D377A3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D48FAE0_2_00D48FAE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D507AA0_2_00D507AA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4E9550_2_00D4E955
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D52D530_2_00D52D53
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4FF580_2_00D4FF58
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D47D5B0_2_00D47D5B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D421420_2_00D42142
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4654A0_2_00D4654A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D3D14C0_2_00D3D14C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D44F740_2_00D44F74
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D497740_2_00D49774
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D36B7A0_2_00D36B7A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D457790_2_00D45779
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4437A0_2_00D4437A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4017B0_2_00D4017B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D3F3690_2_00D3F369
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D455150_2_00D45515
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D3670B0_2_00D3670B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D52B090_2_00D52B09
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4AD080_2_00D4AD08
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D3EF0C0_2_00D3EF0C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D453330_2_00D45333
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D48D3D0_2_00D48D3D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D31F380_2_00D31F38
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100291F63_2_100291F6
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1002F3783_2_1002F378
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100403D73_2_100403D7
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1004250B3_2_1004250B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100415573_2_10041557
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100395A13_2_100395A1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1002F7843_2_1002F784
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1004091B4_2_1004091B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100291F64_2_100291F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002EACF4_2_1002EACF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100403D74_2_100403D7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1004250B4_2_1004250B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100415574_2_10041557
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10035D964_2_10035D96
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100395A14_2_100395A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10040E5F4_2_10040E5F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_036721425_2_03672142
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0367654A5_2_0367654A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0367FF585_2_0367FF58
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0366670B5_2_0366670B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0367AD085_2_0367AD08
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0367EFDD5_2_0367EFDD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0366C5D85_2_0366C5D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03674A665_2_03674A66
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0366DE745_2_0366DE74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0366A4455_2_0366A445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_036686365_2_03668636
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_036820095_2_03682009
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03677A0F5_2_03677A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0366F3695_2_0366F369
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03674F745_2_03674F74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_036797745_2_03679774
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03666B7A5_2_03666B7A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0367017B5_2_0367017B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0367437A5_2_0367437A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_036757795_2_03675779
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0366D14C5_2_0366D14C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0367E9555_2_0367E955
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03682D535_2_03682D53
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03677D5B5_2_03677D5B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_036753335_2_03675333
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03678D3D5_2_03678D3D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03661F385_2_03661F38
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03682B095_2_03682B09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0366EF0C5_2_0366EF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_036755155_2_03675515
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_036767E65_2_036767E6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03679DF55_2_03679DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_036707F45_2_036707F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_036785FF5_2_036785FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_036655FF5_2_036655FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_03664BFC5_2_03664BFC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_036727F95_2_036727F9