Loading ...

Play interactive tourEdit tour

Analysis Report 9cf2c56e_by_Libranalysis

Overview

General Information

Sample Name:9cf2c56e_by_Libranalysis (renamed file extension from none to exe)
Analysis ID:405433
MD5:9cf2c56ef2d9ed4c679013369c6bf4c0
SHA1:77a2d90daf8ccff12ba036924d49c0d57cfbc89b
SHA256:ea1025ebfb2cbc8b7ee79006a44c6c036329701015d45f6f3777e58915b83726
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Connects to several IPs in different countries
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 9cf2c56e_by_Libranalysis.exe (PID: 5732 cmdline: 'C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe' MD5: 9CF2C56EF2D9ED4C679013369C6BF4C0)
    • aeevts.exe (PID: 6096 cmdline: C:\Windows\SysWOW64\aeevts\aeevts.exe MD5: 9CF2C56EF2D9ED4C679013369C6BF4C0)
  • svchost.exe (PID: 6012 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3360 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1288 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5448 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4936 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5980 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2416 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1260 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 2000 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 1048 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 6220 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 6244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6528 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["47.148.241.179:80", "24.204.47.87:80", "80.86.91.91:8080", "104.236.28.47:8080", "87.106.136.232:8080", "211.63.71.72:8080", "113.52.123.226:7080", "78.101.70.199:443", "76.86.17.1:80", "222.144.13.169:80", "47.155.214.239:80", "181.143.126.170:80", "169.239.182.217:8080", "181.126.70.117:80", "209.137.209.84:443", "207.177.72.129:8080", "37.139.21.175:8080", "149.202.153.252:8080", "108.6.170.195:80", "37.187.72.193:8080", "190.220.19.82:443", "206.81.10.215:8080", "92.222.216.44:8080", "104.131.44.150:8080", "103.86.49.11:8080", "78.186.5.109:443", "62.75.187.192:8080", "76.104.80.47:80", "176.9.43.37:8080", "31.172.240.91:8080", "66.34.201.20:7080", "125.207.127.86:80", "85.152.174.56:80", "78.189.180.107:80", "23.92.16.164:8080", "178.153.176.124:80", "74.208.45.104:8080", "177.239.160.121:80", "47.156.70.145:80", "217.160.182.191:8080", "223.197.185.60:80", "95.213.236.64:8080", "190.143.39.231:80", "173.73.87.96:80", "46.105.131.87:80", "93.147.141.5:443", "105.27.155.182:80", "209.146.22.34:443", "174.53.195.88:80", "59.20.65.102:80", "205.185.117.108:8080", "200.21.90.5:443", "5.32.55.214:80", "95.128.43.213:8080", "108.191.2.72:80", "105.247.123.133:8080", "178.20.74.212:80", "101.100.137.135:80", "210.6.85.121:80", "50.116.86.205:8080", "70.180.35.211:80", "162.241.92.219:8080", "5.196.74.210:8080", "201.173.217.124:443", "91.242.136.103:80", "45.33.49.124:443", "59.103.164.174:80", "47.6.15.79:80", "201.184.105.242:443", "71.222.233.135:443", "24.105.202.216:443", "76.104.80.47:443", "188.0.135.237:80", "60.231.217.199:8080", "31.31.77.83:443", "190.12.119.180:443", "62.138.26.28:8080", "47.153.183.211:80", "71.126.247.90:80", "189.212.199.126:443", "200.116.145.225:443", "139.130.241.252:443", "90.69.145.210:8080", "75.114.235.105:80", "74.130.83.133:80", "24.164.79.147:8080", "190.114.244.182:443", "180.92.239.110:8080", "108.190.109.107:80", "181.13.24.82:80", "74.108.124.180:80", "209.141.54.221:8080", "110.36.217.66:8080", "174.83.116.77:80", "47.155.214.239:443", "85.105.205.77:8080", "179.13.185.19:80", "139.130.242.43:80", "160.16.215.66:8080", "45.55.65.123:8080", "41.60.200.34:80", "88.249.120.205:80", "98.239.119.52:80", "2.237.76.249:80", "87.106.139.101:8080", "121.88.5.176:443", "120.150.246.241:80", "190.146.205.227:8080", "195.244.215.206:80", "68.114.229.171:80", "46.105.131.69:443", "104.236.246.93:8080", "110.44.113.2:80", "60.250.78.22:443", "70.184.9.39:8080", "209.97.168.52:8080", "47.26.155.17:80", "101.187.197.33:443", "115.65.111.148:443", "98.156.206.153:80", "70.127.155.33:80", "65.184.222.119:80", "152.168.248.128:443"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.217998392.00000000022E1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000000.00000002.217998392.00000000022E1000.00000020.00000001.sdmpWin32_Trojan_EmotetunknownReversingLabs
    • 0x1c00:$decrypt_resource_v2: 55 8B EC 83 EC 0C 8B 41 04 8B 11 33 C2 53 56 8D 71 04 89 55 FC 8D 58 01 89 45 F8 83 C6 04 F6 C3 ...
    • 0x6cf0:$generate_filename_v2: 55 8B EC 81 EC 08 02 00 00 8D 85 F8 FD FF FF 50 6A 00 6A 00 51 6A 00 B9 FC C9 F7 A6 E8 2F B9 FF ...
    00000004.00000002.471904242.0000000000AE1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000004.00000002.471904242.0000000000AE1000.00000020.00000001.sdmpWin32_Trojan_EmotetunknownReversingLabs
      • 0x1c00:$decrypt_resource_v2: 55 8B EC 83 EC 0C 8B 41 04 8B 11 33 C2 53 56 8D 71 04 89 55 FC 8D 58 01 89 45 F8 83 C6 04 F6 C3 ...
      • 0x6cf0:$generate_filename_v2: 55 8B EC 81 EC 08 02 00 00 8D 85 F8 FD FF FF 50 6A 00 6A 00 51 6A 00 B9 FC C9 F7 A6 E8 2F B9 FF ...
      00000000.00000002.217986642.00000000022D0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        Click to see the 3 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.aeevts.exe.ad053f.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
          4.2.aeevts.exe.ad053f.1.unpackWin32_Trojan_EmotetunknownReversingLabs
          • 0x1400:$decrypt_resource_v2: 55 8B EC 83 EC 0C 8B 41 04 8B 11 33 C2 53 56 8D 71 04 89 55 FC 8D 58 01 89 45 F8 83 C6 04 F6 C3 ...
          • 0x64f0:$generate_filename_v2: 55 8B EC 81 EC 08 02 00 00 8D 85 F8 FD FF FF 50 6A 00 6A 00 51 6A 00 B9 FC C9 F7 A6 E8 2F B9 FF ...
          0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
            0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.unpackWin32_Trojan_EmotetunknownReversingLabs
            • 0x1400:$decrypt_resource_v2: 55 8B EC 83 EC 0C 8B 41 04 8B 11 33 C2 53 56 8D 71 04 89 55 FC 8D 58 01 89 45 F8 83 C6 04 F6 C3 ...
            • 0x64f0:$generate_filename_v2: 55 8B EC 81 EC 08 02 00 00 8D 85 F8 FD FF FF 50 6A 00 6A 00 51 6A 00 B9 FC C9 F7 A6 E8 2F B9 FF ...
            4.2.aeevts.exe.ad053f.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              Click to see the 3 entries

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: 9cf2c56e_by_Libranalysis.exeAvira: detected
              Found malware configurationShow sources
              Source: 0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.unpackMalware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["47.148.241.179:80", "24.204.47.87:80", "80.86.91.91:8080", "104.236.28.47:8080", "87.106.136.232:8080", "211.63.71.72:8080", "113.52.123.226:7080", "78.101.70.199:443", "76.86.17.1:80", "222.144.13.169:80", "47.155.214.239:80", "181.143.126.170:80", "169.239.182.217:8080", "181.126.70.117:80", "209.137.209.84:443", "207.177.72.129:8080", "37.139.21.175:8080", "149.202.153.252:8080", "108.6.170.195:80", "37.187.72.193:8080", "190.220.19.82:443", "206.81.10.215:8080", "92.222.216.44:8080", "104.131.44.150:8080", "103.86.49.11:8080", "78.186.5.109:443", "62.75.187.192:8080", "76.104.80.47:80", "176.9.43.37:8080", "31.172.240.91:8080", "66.34.201.20:7080", "125.207.127.86:80", "85.152.174.56:80", "78.189.180.107:80", "23.92.16.164:8080", "178.153.176.124:80", "74.208.45.104:8080", "177.239.160.121:80", "47.156.70.145:80", "217.160.182.191:8080", "223.197.185.60:80", "95.213.236.64:8080", "190.143.39.231:80", "173.73.87.96:80", "46.105.131.87:80", "93.147.141.5:443", "105.27.155.182:80", "209.146.22.34:443", "174.53.195.88:80", "59.20.65.102:80", "205.185.117.108:8080", "200.21.90.5:443", "5.32.55.214:80", "95.128.43.213:8080", "108.191.2.72:80", "105.247.123.133:8080", "178.20.74.212:80", "101.100.137.135:80", "210.6.85.121:80", "50.116.86.205:8080", "70.180.35.211:80", "162.241.92.219:8080", "5.196.74.210:8080", "201.173.217.124:443", "91.242.136.103:80", "45.33.49.124:443", "59.103.164.174:80", "47.6.15.79:80", "201.184.105.242:443", "71.222.233.135:443", "24.105.202.216:443", "76.104.80.47:443", "188.0.135.237:80", "60.231.217.199:8080", "31.31.77.83:443", "190.12.119.180:443", "62.138.26.28:8080", "47.153.183.211:80", "71.126.247.90:80", "189.212.199.126:443", "200.116.145.225:443", "139.130.241.252:443", "90.69.145.210:8080", "75.114.235.105:80", "74.130.83.133:80", "24.164.79.147:8080", "190.114.244.182:443", "180.92.239.110:8080", "108.190.109.107:80", "181.13.24.82:80", "74.108.124.180:80", "209.141.54.221:8080", "110.36.217.66:8080", "174.83.116.77:80", "47.155.214.239:443", "85.105.205.77:8080", "179.13.185.19:80", "139.130.242.43:80", "160.16.215.66:8080", "45.55.65.123:8080", "41.60.200.34:80", "88.249.120.205:80", "98.239.119.52:80", "2.237.76.249:80", "87.106.139.101:8080", "121.88.5.176:443", "120.150.246.241:80", "190.146.205.227:8080", "195.244.215.206:80", "68.114.229.171:80", "46.105.131.69:443", "104.236.246.93:8080", "110.44.113.2:80", "60.250.78.22:443", "70.184.9.39:8080", "209.97.168.52:8080", "47.26.155.17:80", "101.187.197.33:443", "115.65.111.148:443", "98.156.206.153:80", "70.127.155.33:80", "65.184.222.119:80", "152.168.248.128:443"]}
              Multi AV Scanner detection for submitted fileShow sources
              Source: 9cf2c56e_by_Libranalysis.exeReversingLabs: Detection: 76%
              Source: 9cf2c56e_by_Libranalysis.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
              Source: Binary string: c:\Users\User\Desktop\2005\7.2.20\ObjectInspector_demo\Release\ObjectInspectorTest.pdb source: 9cf2c56e_by_Libranalysis.exe, aeevts.exe
              Source: Binary string: c:\Users\User\Desktop\2005\7.2.20\ObjectInspector_demo\Release\ObjectInspectorTest.pdb@K,CJ source: 9cf2c56e_by_Libranalysis.exe, 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, aeevts.exe, 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_0045436A lstrlen,FindFirstFileA,FindClose,0_2_0045436A
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_0044533D __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlen,0_2_0044533D
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0045436A lstrlen,FindFirstFileA,FindClose,4_2_0045436A
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0044533D __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlen,4_2_0044533D

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 211.63.71.72: -> 192.168.2.3:
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorIPs: 47.148.241.179:80
              Source: Malware configuration extractorIPs: 24.204.47.87:80
              Source: Malware configuration extractorIPs: 80.86.91.91:8080
              Source: Malware configuration extractorIPs: 104.236.28.47:8080
              Source: Malware configuration extractorIPs: 87.106.136.232:8080
              Source: Malware configuration extractorIPs: 211.63.71.72:8080
              Source: Malware configuration extractorIPs: 113.52.123.226:7080
              Source: Malware configuration extractorIPs: 78.101.70.199:443
              Source: Malware configuration extractorIPs: 76.86.17.1:80
              Source: Malware configuration extractorIPs: 222.144.13.169:80
              Source: Malware configuration extractorIPs: 47.155.214.239:80
              Source: Malware configuration extractorIPs: 181.143.126.170:80
              Source: Malware configuration extractorIPs: 169.239.182.217:8080
              Source: Malware configuration extractorIPs: 181.126.70.117:80
              Source: Malware configuration extractorIPs: 209.137.209.84:443
              Source: Malware configuration extractorIPs: 207.177.72.129:8080
              Source: Malware configuration extractorIPs: 37.139.21.175:8080
              Source: Malware configuration extractorIPs: 149.202.153.252:8080
              Source: Malware configuration extractorIPs: 108.6.170.195:80
              Source: Malware configuration extractorIPs: 37.187.72.193:8080
              Source: Malware configuration extractorIPs: 190.220.19.82:443
              Source: Malware configuration extractorIPs: 206.81.10.215:8080
              Source: Malware configuration extractorIPs: 92.222.216.44:8080
              Source: Malware configuration extractorIPs: 104.131.44.150:8080
              Source: Malware configuration extractorIPs: 103.86.49.11:8080
              Source: Malware configuration extractorIPs: 78.186.5.109:443
              Source: Malware configuration extractorIPs: 62.75.187.192:8080
              Source: Malware configuration extractorIPs: 76.104.80.47:80
              Source: Malware configuration extractorIPs: 176.9.43.37:8080
              Source: Malware configuration extractorIPs: 31.172.240.91:8080
              Source: Malware configuration extractorIPs: 66.34.201.20:7080
              Source: Malware configuration extractorIPs: 125.207.127.86:80
              Source: Malware configuration extractorIPs: 85.152.174.56:80
              Source: Malware configuration extractorIPs: 78.189.180.107:80
              Source: Malware configuration extractorIPs: 23.92.16.164:8080
              Source: Malware configuration extractorIPs: 178.153.176.124:80
              Source: Malware configuration extractorIPs: 74.208.45.104:8080
              Source: Malware configuration extractorIPs: 177.239.160.121:80
              Source: Malware configuration extractorIPs: 47.156.70.145:80
              Source: Malware configuration extractorIPs: 217.160.182.191:8080
              Source: Malware configuration extractorIPs: 223.197.185.60:80
              Source: Malware configuration extractorIPs: 95.213.236.64:8080
              Source: Malware configuration extractorIPs: 190.143.39.231:80
              Source: Malware configuration extractorIPs: 173.73.87.96:80
              Source: Malware configuration extractorIPs: 46.105.131.87:80
              Source: Malware configuration extractorIPs: 93.147.141.5:443
              Source: Malware configuration extractorIPs: 105.27.155.182:80
              Source: Malware configuration extractorIPs: 209.146.22.34:443
              Source: Malware configuration extractorIPs: 174.53.195.88:80
              Source: Malware configuration extractorIPs: 59.20.65.102:80
              Source: Malware configuration extractorIPs: 205.185.117.108:8080
              Source: Malware configuration extractorIPs: 200.21.90.5:443
              Source: Malware configuration extractorIPs: 5.32.55.214:80
              Source: Malware configuration extractorIPs: 95.128.43.213:8080
              Source: Malware configuration extractorIPs: 108.191.2.72:80
              Source: Malware configuration extractorIPs: 105.247.123.133:8080
              Source: Malware configuration extractorIPs: 178.20.74.212:80
              Source: Malware configuration extractorIPs: 101.100.137.135:80
              Source: Malware configuration extractorIPs: 210.6.85.121:80
              Source: Malware configuration extractorIPs: 50.116.86.205:8080
              Source: Malware configuration extractorIPs: 70.180.35.211:80
              Source: Malware configuration extractorIPs: 162.241.92.219:8080
              Source: Malware configuration extractorIPs: 5.196.74.210:8080
              Source: Malware configuration extractorIPs: 201.173.217.124:443
              Source: Malware configuration extractorIPs: 91.242.136.103:80
              Source: Malware configuration extractorIPs: 45.33.49.124:443
              Source: Malware configuration extractorIPs: 59.103.164.174:80
              Source: Malware configuration extractorIPs: 47.6.15.79:80
              Source: Malware configuration extractorIPs: 201.184.105.242:443
              Source: Malware configuration extractorIPs: 71.222.233.135:443
              Source: Malware configuration extractorIPs: 24.105.202.216:443
              Source: Malware configuration extractorIPs: 76.104.80.47:443
              Source: Malware configuration extractorIPs: 188.0.135.237:80
              Source: Malware configuration extractorIPs: 60.231.217.199:8080
              Source: Malware configuration extractorIPs: 31.31.77.83:443
              Source: Malware configuration extractorIPs: 190.12.119.180:443
              Source: Malware configuration extractorIPs: 62.138.26.28:8080
              Source: Malware configuration extractorIPs: 47.153.183.211:80
              Source: Malware configuration extractorIPs: 71.126.247.90:80
              Source: Malware configuration extractorIPs: 189.212.199.126:443
              Source: Malware configuration extractorIPs: 200.116.145.225:443
              Source: Malware configuration extractorIPs: 139.130.241.252:443
              Source: Malware configuration extractorIPs: 90.69.145.210:8080
              Source: Malware configuration extractorIPs: 75.114.235.105:80
              Source: Malware configuration extractorIPs: 74.130.83.133:80
              Source: Malware configuration extractorIPs: 24.164.79.147:8080
              Source: Malware configuration extractorIPs: 190.114.244.182:443
              Source: Malware configuration extractorIPs: 180.92.239.110:8080
              Source: Malware configuration extractorIPs: 108.190.109.107:80
              Source: Malware configuration extractorIPs: 181.13.24.82:80
              Source: Malware configuration extractorIPs: 74.108.124.180:80
              Source: Malware configuration extractorIPs: 209.141.54.221:8080
              Source: Malware configuration extractorIPs: 110.36.217.66:8080
              Source: Malware configuration extractorIPs: 174.83.116.77:80
              Source: Malware configuration extractorIPs: 47.155.214.239:443
              Source: Malware configuration extractorIPs: 85.105.205.77:8080
              Source: Malware configuration extractorIPs: 179.13.185.19:80
              Source: Malware configuration extractorIPs: 139.130.242.43:80
              Source: Malware configuration extractorIPs: 160.16.215.66:8080
              Source: Malware configuration extractorIPs: 45.55.65.123:8080
              Source: Malware configuration extractorIPs: 41.60.200.34:80
              Source: Malware configuration extractorIPs: 88.249.120.205:80
              Source: Malware configuration extractorIPs: 98.239.119.52:80
              Source: Malware configuration extractorIPs: 2.237.76.249:80
              Source: Malware configuration extractorIPs: 87.106.139.101:8080
              Source: Malware configuration extractorIPs: 121.88.5.176:443
              Source: Malware configuration extractorIPs: 120.150.246.241:80
              Source: Malware configuration extractorIPs: 190.146.205.227:8080
              Source: Malware configuration extractorIPs: 195.244.215.206:80
              Source: Malware configuration extractorIPs: 68.114.229.171:80
              Source: Malware configuration extractorIPs: 46.105.131.69:443
              Source: Malware configuration extractorIPs: 104.236.246.93:8080
              Source: Malware configuration extractorIPs: 110.44.113.2:80
              Source: Malware configuration extractorIPs: 60.250.78.22:443
              Source: Malware configuration extractorIPs: 70.184.9.39:8080
              Source: Malware configuration extractorIPs: 209.97.168.52:8080
              Source: Malware configuration extractorIPs: 47.26.155.17:80
              Source: Malware configuration extractorIPs: 101.187.197.33:443
              Source: Malware configuration extractorIPs: 115.65.111.148:443
              Source: Malware configuration extractorIPs: 98.156.206.153:80
              Source: Malware configuration extractorIPs: 70.127.155.33:80
              Source: Malware configuration extractorIPs: 65.184.222.119:80
              Source: Malware configuration extractorIPs: 152.168.248.128:443
              Source: unknownNetwork traffic detected: IP country count 28
              Source: global trafficTCP traffic: 192.168.2.3:49729 -> 80.86.91.91:8080
              Source: global trafficTCP traffic: 192.168.2.3:49731 -> 104.236.28.47:8080
              Source: global trafficTCP traffic: 192.168.2.3:49732 -> 87.106.136.232:8080
              Source: global trafficTCP traffic: 192.168.2.3:49733 -> 211.63.71.72:8080
              Source: global trafficTCP traffic: 192.168.2.3:49742 -> 113.52.123.226:7080
              Source: Joe Sandbox ViewIP Address: 71.126.247.90 71.126.247.90
              Source: Joe Sandbox ViewASN Name: VODAFONE-IT-ASNIT VODAFONE-IT-ASNIT
              Source: Joe Sandbox ViewASN Name: ASN-TELSTRATelstraCorporationLtdAU ASN-TELSTRATelstraCorporationLtdAU
              Source: global trafficTCP traffic: 192.168.2.3:49720 -> 47.148.241.179:80
              Source: global trafficTCP traffic: 192.168.2.3:49726 -> 24.204.47.87:80
              Source: global trafficTCP traffic: 192.168.2.3:49745 -> 78.101.70.199:443
              Source: unknownTCP traffic detected without corresponding DNS query: 47.148.241.179
              Source: unknownTCP traffic detected without corresponding DNS query: 47.148.241.179
              Source: unknownTCP traffic detected without corresponding DNS query: 47.148.241.179
              Source: unknownTCP traffic detected without corresponding DNS query: 24.204.47.87
              Source: unknownTCP traffic detected without corresponding DNS query: 24.204.47.87
              Source: unknownTCP traffic detected without corresponding DNS query: 24.204.47.87
              Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.91
              Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.91
              Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.91
              Source: unknownTCP traffic detected without corresponding DNS query: 104.236.28.47
              Source: unknownTCP traffic detected without corresponding DNS query: 104.236.28.47
              Source: unknownTCP traffic detected without corresponding DNS query: 104.236.28.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.106.136.232
              Source: unknownTCP traffic detected without corresponding DNS query: 87.106.136.232
              Source: unknownTCP traffic detected without corresponding DNS query: 87.106.136.232
              Source: unknownTCP traffic detected without corresponding DNS query: 211.63.71.72
              Source: unknownTCP traffic detected without corresponding DNS query: 211.63.71.72
              Source: unknownTCP traffic detected without corresponding DNS query: 211.63.71.72
              Source: unknownTCP traffic detected without corresponding DNS query: 113.52.123.226
              Source: unknownTCP traffic detected without corresponding DNS query: 113.52.123.226
              Source: unknownTCP traffic detected without corresponding DNS query: 113.52.123.226
              Source: unknownTCP traffic detected without corresponding DNS query: 78.101.70.199
              Source: unknownTCP traffic detected without corresponding DNS query: 78.101.70.199
              Source: unknownTCP traffic detected without corresponding DNS query: 78.101.70.199
              Source: aeevts.exe, 00000004.00000002.470575098.0000000000199000.00000004.00000001.sdmpString found in binary or memory: http://78.101.70.199/JlOLE9Q3Bv6/9lTzvPK2t/FRV4HWXYeBl1GdoIO8O/2aKa/
              Source: svchost.exe, 00000007.00000002.475298493.00000235C3C12000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
              Source: svchost.exe, 00000007.00000002.475298493.00000235C3C12000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
              Source: svchost.exe, 00000007.00000002.475253020.00000235C3C00000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
              Source: svchost.exe, 00000007.00000002.474499079.00000235C3A70000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
              Source: svchost.exe, 00000007.00000002.471916171.00000235BE4AE000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enum
              Source: svchost.exe, 0000000E.00000002.309936623.0000018A54024000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
              Source: svchost.exe, 0000000B.00000002.470888059.0000013D5AC3D000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
              Source: svchost.exe, 0000000B.00000002.470888059.0000013D5AC3D000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
              Source: svchost.exe, 0000000B.00000002.470888059.0000013D5AC3D000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
              Source: svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
              Source: svchost.exe, 0000000B.00000002.470888059.0000013D5AC3D000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
              Source: svchost.exe, 0000000B.00000002.470888059.0000013D5AC3D000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
              Source: svchost.exe, 0000000E.00000003.309715871.0000018A54049000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
              Source: svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
              Source: svchost.exe, 0000000E.00000002.309964862.0000018A5403D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
              Source: svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
              Source: svchost.exe, 0000000E.00000002.309989689.0000018A54052000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
              Source: svchost.exe, 0000000E.00000002.309964862.0000018A5403D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
              Source: svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
              Source: svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
              Source: svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
              Source: svchost.exe, 0000000E.00000002.309978521.0000018A54042000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
              Source: svchost.exe, 0000000E.00000002.309978521.0000018A54042000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
              Source: svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
              Source: svchost.exe, 0000000E.00000002.309998266.0000018A5405C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
              Source: svchost.exe, 0000000E.00000003.309715871.0000018A54049000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
              Source: svchost.exe, 0000000E.00000002.309998266.0000018A5405C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
              Source: svchost.exe, 0000000E.00000002.309998266.0000018A5405C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
              Source: svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.309715871.0000018A54049000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
              Source: svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
              Source: svchost.exe, 0000000E.00000002.309964862.0000018A5403D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
              Source: svchost.exe, 0000000E.00000003.287944833.0000018A54031000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
              Source: svchost.exe, 0000000E.00000002.309964862.0000018A5403D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
              Source: svchost.exe, 0000000E.00000002.309964862.0000018A5403D000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.309936623.0000018A54024000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
              Source: svchost.exe, 0000000E.00000003.309750492.0000018A54040000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
              Source: svchost.exe, 0000000E.00000003.309750492.0000018A54040000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
              Source: svchost.exe, 0000000E.00000003.287944833.0000018A54031000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
              Source: svchost.exe, 0000000E.00000002.309958796.0000018A5403A000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
              Source: svchost.exe, 0000000E.00000002.309989689.0000018A54052000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
              Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0040A270 GetClientRect,DNameNode::DNameNode,IsWindowVisible,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,BitBlt,ReleaseDC,GetSysColor,CreateRectRgn,IsWindowVisible,BitBlt,InvalidateRect,4_2_0040A270
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_0043824F GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_0043824F
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_004287DB GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_004287DB
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_00460A0B ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,0_2_00460A0B
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_004119D0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_004119D0
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_00411CB0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState0_2_00411CB0
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0043824F GetKeyState,GetKeyState,GetKeyState,GetKeyState,4_2_0043824F
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_004287DB GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,4_2_004287DB
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00460A0B ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,4_2_00460A0B
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_004119D0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,4_2_004119D0
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00411CB0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState4_2_00411CB0
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00452CFD GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,4_2_00452CFD
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00433411 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,4_2_00433411
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0045F6EB GetKeyState,GetKeyState,GetKeyState,4_2_0045F6EB

              E-Banking Fraud:

              barindex
              Yara detected EmotetShow sources
              Source: Yara matchFile source: 00000000.00000002.217998392.00000000022E1000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.471904242.0000000000AE1000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.217986642.00000000022D0000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.471824961.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 4.2.aeevts.exe.ad053f.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.aeevts.exe.ad053f.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.raw.unpack, type: UNPACKEDPE

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000000.00000002.217998392.00000000022E1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
              Source: 00000004.00000002.471904242.0000000000AE1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
              Source: 00000000.00000002.217986642.00000000022D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
              Source: 00000004.00000002.471824961.0000000000AD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
              Source: 4.2.aeevts.exe.ad053f.1.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
              Source: 0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
              Source: 4.2.aeevts.exe.ad053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
              Source: 0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_00460294 NtdllDefWindowProc_A,GetWindowRect,SetRect,InvalidateRect,SetRect,InvalidateRect,SetRect,SetRect,InvalidateRect,SetRect,InvalidateRect,0_2_00460294
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_00428BEF NtdllDefWindowProc_A,0_2_00428BEF
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_00425BDB NtdllDefWindowProc_A,CallWindowProcA,0_2_00425BDB
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00460294 NtdllDefWindowProc_A,GetWindowRect,SetRect,InvalidateRect,SetRect,InvalidateRect,SetRect,SetRect,InvalidateRect,SetRect,InvalidateRect,4_2_00460294
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00428BEF NtdllDefWindowProc_A,4_2_00428BEF
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00425BDB NtdllDefWindowProc_A,CallWindowProcA,4_2_00425BDB
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0042B3CC __snprintf_s,__snprintf_s,NtdllDefWindowProc_A,4_2_0042B3CC
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00407480 _strlen,_strlen,GetSysColor,GetClassInfoA,NtdllDefWindowProc_A,LoadCursorA,4_2_00407480
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0042B625 _memset,NtdllDefWindowProc_A,4_2_0042B625
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeFile created: C:\Windows\SysWOW64\aeevts\Jump to behavior
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeFile deleted: C:\Windows\SysWOW64\aeevts\aeevts.exe:Zone.IdentifierJump to behavior
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_004680CB0_2_004680CB
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_0048813B0_2_0048813B
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_004643000_2_00464300
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_004684EB0_2_004684EB
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_00484AEB0_2_00484AEB
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_00470DCA0_2_00470DCA
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_004811040_2_00481104
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_0048926D0_2_0048926D
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_0047D4B80_2_0047D4B8
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_0048623B0_2_0048623B
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_0047238D0_2_0047238D
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_004680CB4_2_004680CB
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0048813B4_2_0048813B
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_004643004_2_00464300
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_004684EB4_2_004684EB
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00484AEB4_2_00484AEB
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00470DCA4_2_00470DCA
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_004811044_2_00481104
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0048926D4_2_0048926D
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0047D4B84_2_0047D4B8
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0048623B4_2_0048623B
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0047238D4_2_0047238D
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_004864284_2_00486428
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_004766504_2_00476650
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_004826854_2_00482685
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0042A7324_2_0042A732
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0047A9954_2_0047A995
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0047AAAB4_2_0047AAAB
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00482BAE4_2_00482BAE
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0046F0384_2_0046F038
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_004830F04_2_004830F0
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0046F2AC4_2_0046F2AC
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_004674184_2_00467418
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0046F5B64_2_0046F5B6
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_004678EB4_2_004678EB
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_004839C84_2_004839C8
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00467CBF4_2_00467CBF
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: String function: 00432A34 appears 36 times
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: String function: 00465868 appears 52 times
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: String function: 004737C0 appears 42 times
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: String function: 00436E97 appears 60 times
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: String function: 00465835 appears 270 times
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: String function: 00465A70 appears 91 times
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: String function: 00436E97 appears 38 times
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: String function: 00465835 appears 133 times
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: String function: 00465A70 appears 60 times
              Source: 9cf2c56e_by_Libranalysis.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: 9cf2c56e_by_Libranalysis.exe, 00000000.00000002.218431401.0000000002C60000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 9cf2c56e_by_Libranalysis.exe
              Source: 9cf2c56e_by_Libranalysis.exe, 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameIt's unfortunate that Democrats whomz- vs 9cf2c56e_by_Libranalysis.exe
              Source: 9cf2c56e_by_Libranalysis.exe, 00000000.00000002.218551333.0000000002D60000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 9cf2c56e_by_Libranalysis.exe
              Source: 9cf2c56e_by_Libranalysis.exe, 00000000.00000002.218551333.0000000002D60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 9cf2c56e_by_Libranalysis.exe
              Source: 9cf2c56e_by_Libranalysis.exeBinary or memory string: OriginalFilenameIt's unfortunate that Democrats whomz- vs 9cf2c56e_by_Libranalysis.exe
              Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
              Source: 9cf2c56e_by_Libranalysis.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
              Source: 00000000.00000002.217998392.00000000022E1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
              Source: 00000004.00000002.471904242.0000000000AE1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
              Source: 00000000.00000002.217986642.00000000022D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
              Source: 00000004.00000002.471824961.0000000000AD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
              Source: 4.2.aeevts.exe.ad053f.1.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
              Source: 0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
              Source: 4.2.aeevts.exe.ad053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
              Source: 0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
              Source: classification engineClassification label: mal100.troj.evad.winEXE@17/8@0/100
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_004204F0 FindResourceA,VirtualAllocExNuma,0_2_004204F0
              Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etlJump to behavior
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeMutant created: \Sessions\1\BaseNamedObjects\Global\IA8CD3455
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6244:120:WilError_01
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeMutant created: \Sessions\1\BaseNamedObjects\Global\MA8CD3455
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: 9cf2c56e_by_Libranalysis.exeReversingLabs: Detection: 76%
              Source: unknownProcess created: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe 'C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe'
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeProcess created: C:\Windows\SysWOW64\aeevts\aeevts.exe C:\Windows\SysWOW64\aeevts\aeevts.exe
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
              Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
              Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
              Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
              Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
              Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeProcess created: C:\Windows\SysWOW64\aeevts\aeevts.exe C:\Windows\SysWOW64\aeevts\aeevts.exeJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
              Source: Binary string: c:\Users\User\Desktop\2005\7.2.20\ObjectInspector_demo\Release\ObjectInspectorTest.pdb source: 9cf2c56e_by_Libranalysis.exe, aeevts.exe
              Source: Binary string: c:\Users\User\Desktop\2005\7.2.20\ObjectInspector_demo\Release\ObjectInspectorTest.pdb@K,CJ source: 9cf2c56e_by_Libranalysis.exe, 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, aeevts.exe, 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_00485724 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,0_2_00485724
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_0046590D push ecx; ret 0_2_00465920
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_00465AB5 push ecx; ret 0_2_00465AC8