Loading ...

Play interactive tourEdit tour

Analysis Report lK8vF3n2e7.exe

Overview

General Information

Sample Name:lK8vF3n2e7.exe
Analysis ID:383022
MD5:d7cd602eb9e9ad8272d4ad0910815835
SHA1:cefae0fd990a5491e893796ab8ab56fc9edc015b
SHA256:bca575b21c8b02010cde26b2bd7b2e8cdc313f135f97363b34f8bf0f389a990b
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Emotet e-Banking trojan
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • lK8vF3n2e7.exe (PID: 460 cmdline: 'C:\Users\user\Desktop\lK8vF3n2e7.exe' MD5: D7CD602EB9E9AD8272D4AD0910815835)
    • lK8vF3n2e7.exe (PID: 4144 cmdline: --b0af2bca MD5: D7CD602EB9E9AD8272D4AD0910815835)
  • svchost.exe (PID: 3708 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • corsangle.exe (PID: 6128 cmdline: C:\Windows\SysWOW64\corsangle.exe MD5: D7CD602EB9E9AD8272D4AD0910815835)
    • corsangle.exe (PID: 5496 cmdline: --2e5419fc MD5: D7CD602EB9E9AD8272D4AD0910815835)
  • svchost.exe (PID: 4280 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1540 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2440 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 244 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2592 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1140 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6008 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3012 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 5248 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 4276 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 5836 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 3892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.233128075.0000000002221000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000002.00000002.233128075.0000000002221000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
    • 0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 D8 1B 23 02 85 C0
    • 0x5066:$snippet6: 33 C0 21 05 0C 3C 23 02 A3 08 3C 23 02 39 05 60 03 23 02 74 18 40 A3 08 3C 23 02 83 3C C5 60 03 ...
    00000004.00000002.456108284.0000000000700000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000004.00000002.456108284.0000000000700000.00000040.00000001.sdmpEmotetEmotet Payloadkevoreilly
      • 0x18ec:$snippet2: 6A 13 68 01 00 01 00 FF 15 D8 1B 41 00 85 C0
      • 0x59a5:$snippet6: 33 C0 21 05 0C 3C 41 00 A3 08 3C 41 00 39 05 60 03 41 00 74 18 40 A3 08 3C 41 00 83 3C C5 60 03 ...
      00000000.00000002.194289287.0000000000591000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.corsangle.exe.70053f.1.unpackMAL_Emotet_Jan20_1Detects Emotet malwareFlorian Roth
        • 0x2577:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20
        • 0x255d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
        4.2.corsangle.exe.70053f.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
          4.2.corsangle.exe.70053f.1.unpackEmotetEmotet Payloadkevoreilly
          • 0x7ad:$snippet2: 6A 13 68 01 00 01 00 FF 15 D8 1B 41 00 85 C0
          • 0x4866:$snippet6: 33 C0 21 05 0C 3C 41 00 A3 08 3C 41 00 39 05 60 03 41 00 74 18 40 A3 08 3C 41 00 83 3C C5 60 03 ...
          3.2.corsangle.exe.e3053f.1.raw.unpackMAL_Emotet_Jan20_1Detects Emotet malwareFlorian Roth
          • 0x3177:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20
          • 0x315d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
          3.2.corsangle.exe.e3053f.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 23 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: lK8vF3n2e7.exeAvira: detected
            Multi AV Scanner detection for submitted fileShow sources
            Source: lK8vF3n2e7.exeVirustotal: Detection: 71%Perma Link
            Source: lK8vF3n2e7.exeReversingLabs: Detection: 90%
            Source: 0.0.lK8vF3n2e7.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.dzjt
            Source: 2.0.lK8vF3n2e7.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.dzjt
            Source: 3.0.corsangle.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.dzjt
            Source: 4.0.corsangle.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.dzjt
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 2_2_0222207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,2_2_0222207B
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 2_2_0222215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,2_2_0222215A
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 2_2_02221F11 CryptExportKey,2_2_02221F11
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 2_2_02221F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,2_2_02221F75
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 2_2_02221F56 CryptGetHashParam,2_2_02221F56
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 2_2_02221FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,2_2_02221FFC
            Source: lK8vF3n2e7.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 0_2_004290C4 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,0_2_004290C4
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 2_2_004290C4 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,2_2_004290C4
            Source: global trafficTCP traffic: 192.168.2.3:49729 -> 104.236.137.72:8080
            Source: global trafficTCP traffic: 192.168.2.3:49740 -> 213.189.36.51:8080
            Source: global trafficTCP traffic: 192.168.2.3:49741 -> 85.234.143.94:8080
            Source: global trafficTCP traffic: 192.168.2.3:49744 -> 119.59.124.163:8080
            Source: global trafficTCP traffic: 192.168.2.3:49745 -> 190.146.131.105:8080
            Source: Joe Sandbox ViewIP Address: 119.59.124.163 119.59.124.163
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.137.72
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.137.72
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.137.72
            Source: unknownTCP traffic detected without corresponding DNS query: 172.104.233.225
            Source: unknownTCP traffic detected without corresponding DNS query: 172.104.233.225
            Source: unknownTCP traffic detected without corresponding DNS query: 172.104.233.225
            Source: unknownTCP traffic detected without corresponding DNS query: 213.189.36.51
            Source: unknownTCP traffic detected without corresponding DNS query: 213.189.36.51
            Source: unknownTCP traffic detected without corresponding DNS query: 213.189.36.51
            Source: unknownTCP traffic detected without corresponding DNS query: 85.234.143.94
            Source: unknownTCP traffic detected without corresponding DNS query: 85.234.143.94
            Source: unknownTCP traffic detected without corresponding DNS query: 85.234.143.94
            Source: unknownTCP traffic detected without corresponding DNS query: 119.59.124.163
            Source: unknownTCP traffic detected without corresponding DNS query: 119.59.124.163
            Source: unknownTCP traffic detected without corresponding DNS query: 119.59.124.163
            Source: unknownTCP traffic detected without corresponding DNS query: 190.146.131.105
            Source: unknownTCP traffic detected without corresponding DNS query: 190.146.131.105
            Source: unknownTCP traffic detected without corresponding DNS query: 190.146.131.105
            Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmpString found in binary or memory: http://104.236.137.72:8080/NuFfY0fKFWZKA4NUbs
            Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmpString found in binary or memory: http://104.236.137.72:8080/NuFfY0fKFWZKA4NUbs$
            Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmpString found in binary or memory: http://104.236.137.72:8080/NuFfY0fKFWZKA4NUbsI
            Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmpString found in binary or memory: http://104.236.137.72:8080/NuFfY0fKFWZKA4NUbsT
            Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmpString found in binary or memory: http://119.59.124.163:8080/7gWpLeeuBCj
            Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmpString found in binary or memory: http://119.59.124.163:8080/7gWpLeeuBCjW
            Source: corsangle.exe, 00000004.00000003.359738057.00000000007E3000.00000004.00000001.sdmpString found in binary or memory: http://172.104.233.225:8080/coIxQuMWPxi
            Source: corsangle.exe, 00000004.00000002.454210782.0000000000199000.00000004.00000001.sdmp, corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmpString found in binary or memory: http://190.146.131.105/K1dG1qa5hXkSLaRnHQw
            Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmpString found in binary or memory: http://190.146.131.105/K1dG1qa5hXkSLaRnHQww
            Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmpString found in binary or memory: http://190.146.131.105:8080/K1dG1qa5hXkSLaRnHQw
            Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmpString found in binary or memory: http://190.146.131.105:8080/K1dG1qa5hXkSLaRnHQw80/7gWpLeeuBCj
            Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmpString found in binary or memory: http://190.146.131.105:8080/K1dG1qa5hXkSLaRnHQws
            Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmpString found in binary or memory: http://190.146.131.105:8080/K1dG1qa5hXkSLaRnHQw~
            Source: corsangle.exe, 00000004.00000003.359738057.00000000007E3000.00000004.00000001.sdmpString found in binary or memory: http://213.189.36.51/u0gALfm0zDZMJ
            Source: corsangle.exe, 00000004.00000003.359738057.00000000007E3000.00000004.00000001.sdmpString found in binary or memory: http://213.189.36.51:8080/u0gALfm0zDZMJ
            Source: corsangle.exe, 00000004.00000003.359738057.00000000007E3000.00000004.00000001.sdmpString found in binary or memory: http://213.189.36.51:8080/u0gALfm0zDZMJ4
            Source: corsangle.exe, 00000004.00000003.359738057.00000000007E3000.00000004.00000001.sdmpString found in binary or memory: http://213.189.36.51:8080/u0gALfm0zDZMJW
            Source: corsangle.exe, 00000004.00000003.359738057.00000000007E3000.00000004.00000001.sdmpString found in binary or memory: http://213.189.36.51:8080/u0gALfm0zDZMJm32
            Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmpString found in binary or memory: http://85.234.143.94:8080/hroFtzD6dRMJ
            Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmpString found in binary or memory: http://85.234.143.94:8080/hroFtzD6dRMJ4
            Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmpString found in binary or memory: http://85.234.143.94:8080/hroFtzD6dRh
            Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmpString found in binary or memory: http://85.234.143.94:8080/hroFtzD6dRxi
            Source: svchost.exe, 00000009.00000002.459340968.0000026126C16000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
            Source: svchost.exe, 00000009.00000002.459340968.0000026126C16000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: svchost.exe, 00000009.00000002.459340968.0000026126C16000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: svchost.exe, 00000009.00000002.455590105.000002612149F000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/0
            Source: svchost.exe, 00000009.00000002.459027918.0000026126B70000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
            Source: svchost.exe, 00000011.00000002.309158276.000002B714A13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
            Source: svchost.exe, 0000000E.00000002.455681474.000001B859242000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
            Source: svchost.exe, 0000000E.00000002.455681474.000001B859242000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
            Source: svchost.exe, 0000000E.00000002.455681474.000001B859242000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
            Source: svchost.exe, 00000011.00000003.308702175.000002B714A60000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
            Source: svchost.exe, 0000000E.00000002.455681474.000001B859242000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
            Source: svchost.exe, 0000000E.00000002.455681474.000001B859242000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
            Source: svchost.exe, 00000011.00000003.308726736.000002B714A49000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
            Source: svchost.exe, 00000011.00000003.308702175.000002B714A60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
            Source: svchost.exe, 00000011.00000002.309206913.000002B714A3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
            Source: svchost.exe, 00000011.00000003.308702175.000002B714A60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
            Source: svchost.exe, 00000011.00000002.309238217.000002B714A52000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
            Source: svchost.exe, 00000011.00000003.286829183.000002B714A31000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
            Source: svchost.exe, 00000011.00000002.309206913.000002B714A3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
            Source: svchost.exe, 00000011.00000003.308702175.000002B714A60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
            Source: svchost.exe, 00000011.00000003.308702175.000002B714A60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
            Source: svchost.exe, 00000011.00000003.308702175.000002B714A60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
            Source: svchost.exe, 00000011.00000003.308782224.000002B714A41000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
            Source: svchost.exe, 00000011.00000003.308782224.000002B714A41000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
            Source: svchost.exe, 00000011.00000003.308702175.000002B714A60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
            Source: svchost.exe, 00000011.00000002.309251737.000002B714A5C000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.308754094.000002B714A40000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
            Source: svchost.exe, 00000011.00000003.308726736.000002B714A49000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
            Source: svchost.exe, 00000011.00000002.309251737.000002B714A5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
            Source: svchost.exe, 00000011.00000002.309251737.000002B714A5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
            Source: svchost.exe, 00000011.00000003.308726736.000002B714A49000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
            Source: svchost.exe, 00000011.00000003.308702175.000002B714A60000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
            Source: svchost.exe, 00000011.00000002.309206913.000002B714A3D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
            Source: svchost.exe, 00000011.00000003.286829183.000002B714A31000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
            Source: svchost.exe, 00000011.00000002.309206913.000002B714A3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
            Source: svchost.exe, 00000011.00000002.309158276.000002B714A13000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.309206913.000002B714A3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
            Source: svchost.exe, 00000011.00000003.308754094.000002B714A40000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
            Source: svchost.exe, 00000011.00000003.308754094.000002B714A40000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
            Source: svchost.exe, 00000011.00000003.286829183.000002B714A31000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
            Source: svchost.exe, 00000011.00000003.286829183.000002B714A31000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
            Source: svchost.exe, 00000011.00000002.309238217.000002B714A52000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 0_2_004267FF GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_004267FF
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 2_2_004267FF GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,2_2_004267FF

            E-Banking Fraud:

            barindex
            Detected Emotet e-Banking trojanShow sources
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 2_2_0222DE9C2_2_0222DE9C
            Yara detected EmotetShow sources
            Source: Yara matchFile source: 00000002.00000002.233128075.0000000002221000.00000020.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.456108284.0000000000700000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.194289287.0000000000591000.00000020.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.456134629.0000000000721000.00000020.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.233094123.00000000021E0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.229558668.0000000000E30000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.194269122.0000000000570000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.229583434.0000000000E51000.00000020.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 4.2.corsangle.exe.70053f.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.corsangle.exe.e3053f.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.lK8vF3n2e7.exe.21e053f.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.corsangle.exe.e3053f.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.lK8vF3n2e7.exe.57053f.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.corsangle.exe.70053f.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.lK8vF3n2e7.exe.21e053f.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.lK8vF3n2e7.exe.57053f.1.raw.unpack, type: UNPACKEDPE
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 2_2_02221F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,2_2_02221F75

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000002.00000002.233128075.0000000002221000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
            Source: 00000004.00000002.456108284.0000000000700000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
            Source: 00000000.00000002.194289287.0000000000591000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
            Source: 00000004.00000002.456134629.0000000000721000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
            Source: 00000002.00000002.233094123.00000000021E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
            Source: 00000003.00000002.229558668.0000000000E30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
            Source: 00000000.00000002.194269122.0000000000570000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
            Source: 00000003.00000002.229583434.0000000000E51000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
            Source: 4.2.corsangle.exe.70053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
            Source: 3.2.corsangle.exe.e3053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
            Source: 3.2.corsangle.exe.e3053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
            Source: 2.2.lK8vF3n2e7.exe.21e053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
            Source: 3.2.corsangle.exe.e3053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
            Source: 0.2.lK8vF3n2e7.exe.57053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
            Source: 4.2.corsangle.exe.70053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
            Source: 4.2.corsangle.exe.70053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
            Source: 2.2.lK8vF3n2e7.exe.21e053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
            Source: 2.2.lK8vF3n2e7.exe.21e053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
            Source: 0.2.lK8vF3n2e7.exe.57053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
            Source: 0.2.lK8vF3n2e7.exe.57053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 0_2_0040215A NtAllocateVirtualMemory,0_2_0040215A
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 2_2_0040215A NtAllocateVirtualMemory,2_2_0040215A
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 2_2_0222E068 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle,2_2_0222E068
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 2_2_02221D2B CreateProcessAsUserW,CreateProcessW,2_2_02221D2B
            Source: C:\Windows\SysWOW64\corsangle.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeFile deleted: C:\Windows\SysWOW64\corsangle.exe:Zone.IdentifierJump to behavior
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 0_2_004011170_2_00401117
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 0_2_0042787E0_2_0042787E
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 0_2_00412BF00_2_00412BF0
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 0_2_00414EDC0_2_00414EDC
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 0_2_0040EF2E0_2_0040EF2E
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 2_2_004011172_2_00401117
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 2_2_0042787E2_2_0042787E
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 2_2_00412BF02_2_00412BF0
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 2_2_00414EDC2_2_00414EDC
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 2_2_0040EF2E2_2_0040EF2E
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 2_2_021E30E82_2_021E30E8
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 2_2_021E30E42_2_021E30E4
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 2_2_021E28C12_2_021E28C1
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 2_2_022237A52_2_022237A5
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 2_2_022237A92_2_022237A9
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 2_2_02222F822_2_02222F82
            Source: C:\Windows\SysWOW64\corsangle.exeCode function: 3_2_00E330E43_2_00E330E4
            Source: C:\Windows\SysWOW64\corsangle.exeCode function: 3_2_00E330E83_2_00E330E8
            Source: C:\Windows\SysWOW64\corsangle.exeCode function: 3_2_00E328C13_2_00E328C1
            Source: C:\Windows\SysWOW64\corsangle.exeCode function: 3_2_00E537A53_2_00E537A5
            Source: C:\Windows\SysWOW64\corsangle.exeCode function: 3_2_00E537A93_2_00E537A9
            Source: C:\Windows\SysWOW64\corsangle.exeCode function: 3_2_00E52F823_2_00E52F82
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: String function: 004128A0 appears 334 times
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: String function: 00412BA4 appears 128 times
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: String function: 00416254 appears 50 times
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: String function: 00424E33 appears 62 times
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: String function: 00414843 appears 52 times
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: String function: 0042D179 appears 50 times
            Source: lK8vF3n2e7.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: lK8vF3n2e7.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: lK8vF3n2e7.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: lK8vF3n2e7.exe, 00000000.00000002.194191938.000000000045C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMSADODLG.EXE vs lK8vF3n2e7.exe
            Source: lK8vF3n2e7.exe, 00000002.00000002.232381898.000000000045C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMSADODLG.EXE vs lK8vF3n2e7.exe
            Source: lK8vF3n2e7.exe, 00000002.00000002.235071054.0000000003110000.00000002.00000001.sdmpBinary or memory string: originalfilename vs lK8vF3n2e7.exe
            Source: lK8vF3n2e7.exe, 00000002.00000002.235071054.0000000003110000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs lK8vF3n2e7.exe
            Source: lK8vF3n2e7.exe, 00000002.00000002.234823605.0000000003010000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs lK8vF3n2e7.exe
            Source: lK8vF3n2e7.exeBinary or memory string: OriginalFilenameMSADODLG.EXE vs lK8vF3n2e7.exe
            Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
            Source: lK8vF3n2e7.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: 00000002.00000002.233128075.0000000002221000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 00000004.00000002.456108284.0000000000700000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 00000000.00000002.194289287.0000000000591000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 00000004.00000002.456134629.0000000000721000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 00000002.00000002.233094123.00000000021E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 00000003.00000002.229558668.0000000000E30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 00000000.00000002.194269122.0000000000570000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 00000003.00000002.229583434.0000000000E51000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 4.2.corsangle.exe.70053f.1.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
            Source: 4.2.corsangle.exe.70053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 3.2.corsangle.exe.e3053f.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
            Source: 3.2.corsangle.exe.e3053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 3.2.corsangle.exe.e3053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
            Source: 2.2.lK8vF3n2e7.exe.21e053f.1.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
            Source: 2.2.lK8vF3n2e7.exe.21e053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 3.2.corsangle.exe.e3053f.1.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
            Source: 3.2.corsangle.exe.e3053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 0.2.lK8vF3n2e7.exe.57053f.1.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
            Source: 0.2.lK8vF3n2e7.exe.57053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 4.2.corsangle.exe.70053f.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
            Source: 4.2.corsangle.exe.70053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 4.2.corsangle.exe.70053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
            Source: 2.2.lK8vF3n2e7.exe.21e053f.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
            Source: 2.2.lK8vF3n2e7.exe.21e053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 2.2.lK8vF3n2e7.exe.21e053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
            Source: 0.2.lK8vF3n2e7.exe.57053f.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
            Source: 0.2.lK8vF3n2e7.exe.57053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 0.2.lK8vF3n2e7.exe.57053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
            Source: classification engineClassification label: mal96.bank.troj.evad.winEXE@20/10@0/8
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,2_2_0222E138
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 2_2_02221943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,2_2_02221943
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 0_2_004070AE CoCreateInstance,OleRun,CoCreateInstance,0_2_004070AE
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 0_2_00428065 FindResourceA,LoadResource,LockResource,FreeResource,0_2_00428065
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 2_2_0222E138 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,2_2_0222E138
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3892:120:WilError_01
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeMutant created: \Sessions\1\BaseNamedObjects\Global\I8B93DEAF
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeMutant created: \Sessions\1\BaseNamedObjects\Global\M8B93DEAF
            Source: lK8vF3n2e7.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: lK8vF3n2e7.exeVirustotal: Detection: 71%
            Source: lK8vF3n2e7.exeReversingLabs: Detection: 90%
            Source: lK8vF3n2e7.exeString found in binary or memory: E4aXdlyDax6W5yGUiK+zzQuWwVX3LQqecci4Bees2GBp2ZfSbW1N/xyzbDoL5kOQMKqS6lAS2/WhX9uuPN5/wbyYciuvEhs8ykVZDbTGjBH91qRxKvGQ5GYH3N9xEy/V2mEBZ62Z02jtwgYTBKhCC0h0lehcWwrv9Qjn2XVFR5GMc/+duWl4uL7VE3z/4aSrX3sdAXeY75/vn7/r/aDDHEJfkkMt1sZprUyeoJcSBqisgyi6dXzPHz5Ec9N7ohNSzkTK
            Source: lK8vF3n2e7.exeString found in binary or memory: E4aXdlyDax6W5yGUiK+zzQuWwVX3LQqecci4Bees2GBp2ZfSbW1N/xyzbDoL5kOQMKqS6lAS2/WhX9uuPN5/wbyYciuvEhs8ykVZDbTGjBH91qRxKvGQ5GYH3N9xEy/V2mEBZ62Z02jtwgYTBKhCC0h0lehcWwrv9Qjn2XVFR5GMc/+duWl4uL7VE3z/4aSrX3sdAXeY75/vn7/r/aDDHEJfkkMt1sZprUyeoJcSBqisgyi6dXzPHz5Ec9N7ohNSzkTK
            Source: lK8vF3n2e7.exeString found in binary or memory: E4aXdlyDax6W5yGUiK+zzQuWwVX3LQqecci4Bees2GBp2ZfSbW1N/xyzbDoL5kOQMKqS6lAS2/WhX9uuPN5/wbyYciuvEhs8ykVZDbTGjBH91qRxKvGQ5GYH3N9xEy/V2mEBZ62Z02jtwgYTBKhCC0h0lehcWwrv9Qjn2XVFR5GMc/+duWl4uL7VE3z/4aSrX3sdAXeY75/vn7/r/aDDHEJfkkMt1sZprUyeoJcSBqisgyi6dXzPHz5Ec9N7ohNSzkTKnmBqmvDkrvxT506X5bGiBGtkKG/80QKfhVuyj235bs5QG82arNmrJN2+bTrIZNQFZ4pgH9uSw8lfE1EsR0jsqJMMaUAUxowX2vu/xeUcgZ/tiKhhnIuBJSLGWh7GX1sDqvI9FQtvWVieRJqXOdS5iTebfqmw43C+6BXr9HXvmLJeEujPfwgE1mxWk35QY+DPdkJj13tvAdBVg4yNE5wZzz9OW53s9AShzyrpPeUSGIWuRvOw
            Source: C:\Windows\SysWOW64\corsangle.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_3-4595
            Source: unknownProcess created: C:\Users\user\Desktop\lK8vF3n2e7.exe 'C:\Users\user\Desktop\lK8vF3n2e7.exe'
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeProcess created: C:\Users\user\Desktop\lK8vF3n2e7.exe --b0af2bca
            Source: unknownProcess created: C:\Windows\SysWOW64\corsangle.exe C:\Windows\SysWOW64\corsangle.exe
            Source: C:\Windows\SysWOW64\corsangle.exeProcess created: C:\Windows\SysWOW64\corsangle.exe --2e5419fc
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
            Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
            Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
            Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
            Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
            Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
            Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeProcess created: C:\Users\user\Desktop\lK8vF3n2e7.exe --b0af2bcaJump to behavior
            Source: C:\Windows\SysWOW64\corsangle.exeProcess created: C:\Windows\SysWOW64\corsangle.exe --2e5419fcJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 0_2_00401784 LoadLibraryW,GetProcAddress,0_2_00401784
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 0_2_00412260 push eax; ret 0_2_00412274
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 0_2_00412260 push eax; ret 0_2_0041229C
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 0_2_004128A0 push eax; ret 0_2_004128BE
            Source: C:\Users\user\Desktop\lK8vF3n2e7.exeCode function: 0_2_00412BDF push ecx; ret 0_2_00412BEF
            Source: C:\Users\user\Desktop\lK8vF