Loading ...

Play interactive tourEdit tour

Analysis Report aEdlObiYav

Overview

General Information

Sample Name:aEdlObiYav (renamed file extension from none to exe)
Analysis ID:376365
MD5:ae03a6f8fb74d401b403647d28e21574
SHA1:6ee320cedc77499f5df9ae9c93ef42c0d91f3ce8
SHA256:1ad1ff05930f27ef4b349c7a612235d1632ef7ceaa1a17adf7c7b3a97b40ca4d
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Emotet e-Banking trojan
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • aEdlObiYav.exe (PID: 5064 cmdline: 'C:\Users\user\Desktop\aEdlObiYav.exe' MD5: AE03A6F8FB74D401B403647D28E21574)
    • aEdlObiYav.exe (PID: 5528 cmdline: --79fd8b32 MD5: AE03A6F8FB74D401B403647D28E21574)
  • picturerus.exe (PID: 6084 cmdline: C:\Windows\SysWOW64\picturerus.exe MD5: AE03A6F8FB74D401B403647D28E21574)
    • picturerus.exe (PID: 4228 cmdline: --b743c2a4 MD5: AE03A6F8FB74D401B403647D28E21574)
  • svchost.exe (PID: 5536 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2376 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4504 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 804 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 1228 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 5540 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 5048 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 3896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.488250881.0000000000ED1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000004.00000002.488250881.0000000000ED1000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
    • 0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA ED 00 85 C0
    • 0x50d4:$snippet6: 33 C0 21 05 EC 10 EE 00 A3 E8 10 EE 00 39 05 A0 E3 ED 00 74 18 40 A3 E8 10 EE 00 83 3C C5 A0 E3 ...
    00000003.00000002.240281211.0000000000E21000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000003.00000002.240281211.0000000000E21000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
      • 0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA E2 00 85 C0
      • 0x50d4:$snippet6: 33 C0 21 05 EC 10 E3 00 A3 E8 10 E3 00 39 05 A0 E3 E2 00 74 18 40 A3 E8 10 E3 00 83 3C C5 A0 E3 ...
      00000001.00000002.241329316.0000000002180000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.aEdlObiYav.exe.22c053f.2.unpackMAL_Emotet_Jan20_1Detects Emotet malwareFlorian Roth
        • 0x2577:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20
        • 0x255d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
        0.2.aEdlObiYav.exe.22c053f.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
          0.2.aEdlObiYav.exe.22c053f.2.unpackEmotetEmotet Payloadkevoreilly
          • 0x7ad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA 40 00 85 C0
          • 0x48d4:$snippet6: 33 C0 21 05 EC 10 41 00 A3 E8 10 41 00 39 05 A0 E3 40 00 74 18 40 A3 E8 10 41 00 83 3C C5 A0 E3 ...
          3.2.picturerus.exe.e1053f.2.unpackMAL_Emotet_Jan20_1Detects Emotet malwareFlorian Roth
          • 0x2577:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20
          • 0x255d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
          3.2.picturerus.exe.e1053f.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 23 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: aEdlObiYav.exeAvira: detected
            Multi AV Scanner detection for submitted fileShow sources
            Source: aEdlObiYav.exeReversingLabs: Detection: 96%
            Machine Learning detection for sampleShow sources
            Source: aEdlObiYav.exeJoe Sandbox ML: detected
            Source: 0.2.aEdlObiYav.exe.22c053f.2.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 3.2.picturerus.exe.e1053f.2.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 4.2.picturerus.exe.60053f.1.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 1.2.aEdlObiYav.exe.218053f.1.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_0219207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,1_2_0219207B
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_0219215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,1_2_0219215A
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_02191F11 CryptExportKey,1_2_02191F11
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_02191F56 CryptGetHashParam,1_2_02191F56
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_02191F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,1_2_02191F75
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_02191FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,1_2_02191FFC
            Source: C:\Windows\SysWOW64\picturerus.exeCode function: 4_2_00ED207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,4_2_00ED207B
            Source: C:\Windows\SysWOW64\picturerus.exeCode function: 4_2_00ED1FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,4_2_00ED1FFC
            Source: C:\Windows\SysWOW64\picturerus.exeCode function: 4_2_00ED1F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,4_2_00ED1F75
            Source: C:\Windows\SysWOW64\picturerus.exeCode function: 4_2_00ED1F11 CryptExportKey,4_2_00ED1F11
            Source: C:\Windows\SysWOW64\picturerus.exeCode function: 4_2_00ED215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,4_2_00ED215A
            Source: C:\Windows\SysWOW64\picturerus.exeCode function: 4_2_00ED1F56 CryptGetHashParam,4_2_00ED1F56
            Source: aEdlObiYav.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: Binary string: c:\Users\User\Desktop\2003\modeless\Release\modeless.pdb source: aEdlObiYav.exe
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 0_2_0043A377 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,0_2_0043A377
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 0_2_0043AE3F lstrlenA,FindFirstFileA,FindClose,0_2_0043AE3F
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_0043A377 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,1_2_0043A377
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_0043AE3F lstrlenA,FindFirstFileA,FindClose,1_2_0043AE3F
            Source: global trafficTCP traffic: 192.168.2.5:49717 -> 209.141.41.136:8080
            Source: global trafficTCP traffic: 192.168.2.5:49726 -> 104.236.246.93:8080
            Source: global trafficTCP traffic: 192.168.2.5:49727 -> 198.199.114.69:8080
            Source: global trafficTCP traffic: 192.168.2.5:49730 -> 152.89.236.214:8080
            Source: global trafficTCP traffic: 192.168.2.5:49731 -> 87.106.136.232:8080
            Source: global trafficTCP traffic: 192.168.2.5:49732 -> 178.210.51.222:8080
            Source: Joe Sandbox ViewIP Address: 104.236.246.93 104.236.246.93
            Source: Joe Sandbox ViewIP Address: 104.236.246.93 104.236.246.93
            Source: Joe Sandbox ViewIP Address: 87.106.136.232 87.106.136.232
            Source: unknownTCP traffic detected without corresponding DNS query: 45.33.54.74
            Source: unknownTCP traffic detected without corresponding DNS query: 45.33.54.74
            Source: unknownTCP traffic detected without corresponding DNS query: 45.33.54.74
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.41.136
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.41.136
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.41.136
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.246.93
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.246.93
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.246.93
            Source: unknownTCP traffic detected without corresponding DNS query: 198.199.114.69
            Source: unknownTCP traffic detected without corresponding DNS query: 198.199.114.69
            Source: unknownTCP traffic detected without corresponding DNS query: 198.199.114.69
            Source: unknownTCP traffic detected without corresponding DNS query: 152.89.236.214
            Source: unknownTCP traffic detected without corresponding DNS query: 152.89.236.214
            Source: unknownTCP traffic detected without corresponding DNS query: 152.89.236.214
            Source: unknownTCP traffic detected without corresponding DNS query: 87.106.136.232
            Source: unknownTCP traffic detected without corresponding DNS query: 87.106.136.232
            Source: unknownTCP traffic detected without corresponding DNS query: 87.106.136.232
            Source: C:\Windows\SysWOW64\picturerus.exeCode function: 4_2_00ED1383 InternetReadFile,4_2_00ED1383
            Source: picturerus.exe, 00000004.00000002.487408684.0000000000199000.00000004.00000001.sdmpString found in binary or memory: http://178.210.51.222/attrib/glitch/add/merge/
            Source: svchost.exe, 00000005.00000002.490559739.000001F634A0F000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
            Source: svchost.exe, 00000005.00000002.490559739.000001F634A0F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: svchost.exe, 00000005.00000002.487921047.000001F62F2A0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: svchost.exe, 00000005.00000002.491346023.000001F634C00000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
            Source: svchost.exe, 00000009.00000002.305301146.0000023F57C13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
            Source: svchost.exe, 00000007.00000002.488280885.000001D9ACE3E000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
            Source: svchost.exe, 00000007.00000002.488280885.000001D9ACE3E000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
            Source: svchost.exe, 00000007.00000002.488280885.000001D9ACE3E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
            Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
            Source: svchost.exe, 00000007.00000002.488280885.000001D9ACE3E000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
            Source: svchost.exe, 00000007.00000002.488280885.000001D9ACE3E000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
            Source: svchost.exe, 00000009.00000003.305003343.0000023F57C5A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
            Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
            Source: svchost.exe, 00000009.00000002.305319310.0000023F57C3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
            Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
            Source: svchost.exe, 00000009.00000002.305345104.0000023F57C4E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
            Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
            Source: svchost.exe, 00000009.00000002.305319310.0000023F57C3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
            Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
            Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
            Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
            Source: svchost.exe, 00000009.00000002.305323775.0000023F57C42000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
            Source: svchost.exe, 00000009.00000002.305323775.0000023F57C42000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
            Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
            Source: svchost.exe, 00000009.00000002.305351605.0000023F57C5C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
            Source: svchost.exe, 00000009.00000003.305003343.0000023F57C5A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
            Source: svchost.exe, 00000009.00000002.305351605.0000023F57C5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
            Source: svchost.exe, 00000009.00000002.305351605.0000023F57C5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
            Source: svchost.exe, 00000009.00000002.305368398.0000023F57C64000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
            Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
            Source: svchost.exe, 00000009.00000002.305319310.0000023F57C3D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
            Source: svchost.exe, 00000009.00000003.283224217.0000023F57C31000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
            Source: svchost.exe, 00000009.00000002.305319310.0000023F57C3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
            Source: svchost.exe, 00000009.00000002.305301146.0000023F57C13000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.305319310.0000023F57C3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
            Source: svchost.exe, 00000009.00000003.305027218.0000023F57C45000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
            Source: svchost.exe, 00000009.00000003.305027218.0000023F57C45000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
            Source: svchost.exe, 00000009.00000003.283224217.0000023F57C31000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
            Source: svchost.exe, 00000009.00000003.305042012.0000023F57C3A000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
            Source: svchost.exe, 00000009.00000002.305345104.0000023F57C4E000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
            Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 0_2_0043814C GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_0043814C
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 0_2_0044C334 GetKeyState,GetKeyState,GetKeyState,0_2_0044C334
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 0_2_004450BA ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,0_2_004450BA
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 0_2_0042F3FF __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,0_2_0042F3FF
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 0_2_00449796 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,0_2_00449796
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 0_2_00433B4D GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_00433B4D
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_0043814C GetKeyState,GetKeyState,GetKeyState,GetKeyState,1_2_0043814C
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_0044C334 GetKeyState,GetKeyState,GetKeyState,1_2_0044C334
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_004450BA ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,1_2_004450BA
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_0042F3FF __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,1_2_0042F3FF
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_00449796 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,1_2_00449796
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_00433B4D GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,1_2_00433B4D

            E-Banking Fraud:

            barindex
            Detected Emotet e-Banking trojanShow sources
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_0219C11B1_2_0219C11B
            Source: C:\Windows\SysWOW64\picturerus.exeCode function: 4_2_00EDC11B4_2_00EDC11B
            Yara detected EmotetShow sources
            Source: Yara matchFile source: 00000004.00000002.488250881.0000000000ED1000.00000020.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.240281211.0000000000E21000.00000020.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.241329316.0000000002180000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.241344979.0000000002191000.00000020.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.221393603.00000000022C0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.240268046.0000000000E10000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.221405204.00000000022D1000.00000020.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.487903177.0000000000600000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0.2.aEdlObiYav.exe.22c053f.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.picturerus.exe.e1053f.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.aEdlObiYav.exe.218053f.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.picturerus.exe.e1053f.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.aEdlObiYav.exe.22c053f.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.picturerus.exe.60053f.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.picturerus.exe.60053f.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.aEdlObiYav.exe.218053f.1.unpack, type: UNPACKEDPE
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_02191F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,1_2_02191F75
            Source: C:\Windows\SysWOW64\picturerus.exeCode function: 4_2_00ED1F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,4_2_00ED1F75

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000004.00000002.488250881.0000000000ED1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
            Source: 00000003.00000002.240281211.0000000000E21000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
            Source: 00000001.00000002.241329316.0000000002180000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
            Source: 00000001.00000002.241344979.0000000002191000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
            Source: 00000000.00000002.221393603.00000000022C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
            Source: 00000003.00000002.240268046.0000000000E10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
            Source: 00000000.00000002.221405204.00000000022D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
            Source: 00000004.00000002.487903177.0000000000600000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
            Source: 0.2.aEdlObiYav.exe.22c053f.2.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
            Source: 3.2.picturerus.exe.e1053f.2.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
            Source: 1.2.aEdlObiYav.exe.218053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
            Source: 1.2.aEdlObiYav.exe.218053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
            Source: 3.2.picturerus.exe.e1053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
            Source: 3.2.picturerus.exe.e1053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
            Source: 0.2.aEdlObiYav.exe.22c053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
            Source: 0.2.aEdlObiYav.exe.22c053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
            Source: 4.2.picturerus.exe.60053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
            Source: 4.2.picturerus.exe.60053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
            Source: 4.2.picturerus.exe.60053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
            Source: 1.2.aEdlObiYav.exe.218053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_0219C2E7 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle,1_2_0219C2E7
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_02191D2B CreateProcessAsUserW,CreateProcessW,1_2_02191D2B
            Source: C:\Windows\SysWOW64\picturerus.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
            Source: C:\Users\user\Desktop\aEdlObiYav.exeFile deleted: C:\Windows\SysWOW64\picturerus.exe:Zone.IdentifierJump to behavior
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 0_2_0041CB040_2_0041CB04
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 0_2_004351C10_2_004351C1
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 0_2_004192880_2_00419288
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_0041CB041_2_0041CB04
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_004351C11_2_004351C1
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_004192881_2_00419288
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_021828C11_2_021828C1
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_021830E81_2_021830E8
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_021830E41_2_021830E4
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_021937A91_2_021937A9
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_021937A51_2_021937A5
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_02192F821_2_02192F82
            Source: C:\Windows\SysWOW64\picturerus.exeCode function: 3_2_00E130E43_2_00E130E4
            Source: C:\Windows\SysWOW64\picturerus.exeCode function: 3_2_00E130E83_2_00E130E8
            Source: C:\Windows\SysWOW64\picturerus.exeCode function: 3_2_00E128C13_2_00E128C1
            Source: C:\Windows\SysWOW64\picturerus.exeCode function: 3_2_00E237A53_2_00E237A5
            Source: C:\Windows\SysWOW64\picturerus.exeCode function: 3_2_00E237A93_2_00E237A9
            Source: C:\Windows\SysWOW64\picturerus.exeCode function: 3_2_00E22F823_2_00E22F82
            Source: C:\Windows\SysWOW64\picturerus.exeCode function: 4_2_006030E44_2_006030E4
            Source: C:\Windows\SysWOW64\picturerus.exeCode function: 4_2_006030E84_2_006030E8
            Source: C:\Windows\SysWOW64\picturerus.exeCode function: 4_2_006028C14_2_006028C1
            Source: C:\Windows\SysWOW64\picturerus.exeCode function: 4_2_00ED37A94_2_00ED37A9
            Source: C:\Windows\SysWOW64\picturerus.exeCode function: 4_2_00ED37A54_2_00ED37A5
            Source: C:\Windows\SysWOW64\picturerus.exeCode function: 4_2_00ED2F824_2_00ED2F82
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: String function: 00401AB4 appears 46 times
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: String function: 004373E9 appears 31 times
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: String function: 0041C3B9 appears 57 times
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: String function: 004334D7 appears 64 times
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: String function: 0044D589 appears 86 times
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: String function: 00419937 appears 8618 times
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: String function: 0044FB2C appears 32 times
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: String function: 00419918 appears 483 times
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: String function: 0041923C appears 130 times
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: String function: 0041E3BF appears 79 times
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: String function: 0044D5AF appears 37 times
            Source: aEdlObiYav.exe, 00000000.00000002.221382669.0000000002280000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs aEdlObiYav.exe
            Source: aEdlObiYav.exe, 00000001.00000002.242092910.00000000029F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs aEdlObiYav.exe
            Source: aEdlObiYav.exe, 00000001.00000002.242092910.00000000029F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs aEdlObiYav.exe
            Source: aEdlObiYav.exe, 00000001.00000002.241858641.0000000002900000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs aEdlObiYav.exe
            Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
            Source: aEdlObiYav.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: 00000004.00000002.488250881.0000000000ED1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 00000003.00000002.240281211.0000000000E21000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 00000001.00000002.241329316.0000000002180000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 00000001.00000002.241344979.0000000002191000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 00000000.00000002.221393603.00000000022C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 00000003.00000002.240268046.0000000000E10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 00000000.00000002.221405204.00000000022D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 00000004.00000002.487903177.0000000000600000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 0.2.aEdlObiYav.exe.22c053f.2.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
            Source: 0.2.aEdlObiYav.exe.22c053f.2.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 3.2.picturerus.exe.e1053f.2.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
            Source: 3.2.picturerus.exe.e1053f.2.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 1.2.aEdlObiYav.exe.218053f.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
            Source: 1.2.aEdlObiYav.exe.218053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 1.2.aEdlObiYav.exe.218053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
            Source: 3.2.picturerus.exe.e1053f.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
            Source: 3.2.picturerus.exe.e1053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 3.2.picturerus.exe.e1053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
            Source: 0.2.aEdlObiYav.exe.22c053f.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
            Source: 0.2.aEdlObiYav.exe.22c053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 0.2.aEdlObiYav.exe.22c053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
            Source: 4.2.picturerus.exe.60053f.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
            Source: 4.2.picturerus.exe.60053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 4.2.picturerus.exe.60053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
            Source: 4.2.picturerus.exe.60053f.1.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
            Source: 4.2.picturerus.exe.60053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 1.2.aEdlObiYav.exe.218053f.1.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
            Source: 1.2.aEdlObiYav.exe.218053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: classification engineClassification label: mal100.bank.troj.evad.winEXE@15/5@0/8
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 0_2_0043F939 __EH_prolog,GetDiskFreeSpaceA,GetFullPathNameA,GetTempFileNameA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,0_2_0043F939
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_0219C3B7
            Source: C:\Windows\SysWOW64\picturerus.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,4_2_00EDC3B7
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_02191943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,1_2_02191943
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 0_2_00416DE7 __EH_prolog,VariantClear,SysAllocStringByteLen,CoCreateInstance,CoCreateInstance,CoCreateInstance,0_2_00416DE7
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 0_2_004315F6 __EH_prolog,FindResourceA,LoadResource,LockResource,GetDesktopWindow,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource,0_2_004315F6
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_0219C3B7 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_0219C3B7
            Source: C:\Users\user\Desktop\aEdlObiYav.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
            Source: C:\Users\user\Desktop\aEdlObiYav.exeMutant created: \Sessions\1\BaseNamedObjects\Global\M765E845E
            Source: C:\Users\user\Desktop\aEdlObiYav.exeMutant created: \Sessions\1\BaseNamedObjects\Global\I765E845E
            Source: C:\Windows\SysWOW64\picturerus.exeMutant created: \BaseNamedObjects\Global\I765E845E
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3896:120:WilError_01
            Source: aEdlObiYav.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\aEdlObiYav.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\aEdlObiYav.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: aEdlObiYav.exeReversingLabs: Detection: 96%
            Source: C:\Windows\SysWOW64\picturerus.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
            Source: unknownProcess created: C:\Users\user\Desktop\aEdlObiYav.exe 'C:\Users\user\Desktop\aEdlObiYav.exe'
            Source: C:\Users\user\Desktop\aEdlObiYav.exeProcess created: C:\Users\user\Desktop\aEdlObiYav.exe --79fd8b32
            Source: unknownProcess created: C:\Windows\SysWOW64\picturerus.exe C:\Windows\SysWOW64\picturerus.exe
            Source: C:\Windows\SysWOW64\picturerus.exeProcess created: C:\Windows\SysWOW64\picturerus.exe --b743c2a4
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
            Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
            Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
            Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
            Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
            Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\aEdlObiYav.exeProcess created: C:\Users\user\Desktop\aEdlObiYav.exe --79fd8b32Jump to behavior
            Source: C:\Windows\SysWOW64\picturerus.exeProcess created: C:\Windows\SysWOW64\picturerus.exe --b743c2a4Jump to behavior
            Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
            Source: C:\Users\user\Desktop\aEdlObiYav.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: aEdlObiYav.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: c:\Users\User\Desktop\2003\modeless\Release\modeless.pdb source: aEdlObiYav.exe
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 0_2_00432655 GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary,0_2_00432655
            Source: aEdlObiYav.exeStatic PE information: real checksum: 0x7ffed should be: 0x800e5
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 0_2_00419277 push ecx; ret 0_2_00419287
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 0_2_004193A0 push eax; ret 0_2_004193B4
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 0_2_004193A0 push eax; ret 0_2_004193DC
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 0_2_00419918 push eax; ret 0_2_00419936
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_00419277 push ecx; ret 1_2_00419287
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_004193A0 push eax; ret 1_2_004193B4
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_004193A0 push eax; ret 1_2_004193DC
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_00419918 push eax; ret 1_2_00419936
            Source: C:\Users\user\Desktop\aEdlObiYav.exeCode function: 1_2_0218E190 push BB276B01h; ret 1_2_0218E1C2
            Source: C:\Windows\SysWOW64\picturerus.exeCode function: 3_2_00E1E190 push BB276B01h; ret 3_2_00E1E1C2
            Source: C:\Windows\SysWOW64\picturerus.exeCode function: 4_2_0060E190 push BB276B01h; ret 4_2_0060E1C2

            Persistence and Installation Behavior:

            bar