Loading ...

Play interactive tourEdit tour

Analysis Report 9cf2c56e_by_Libranalysis

Overview

General Information

Sample Name:9cf2c56e_by_Libranalysis (renamed file extension from none to exe)
Analysis ID:405433
MD5:9cf2c56ef2d9ed4c679013369c6bf4c0
SHA1:77a2d90daf8ccff12ba036924d49c0d57cfbc89b
SHA256:ea1025ebfb2cbc8b7ee79006a44c6c036329701015d45f6f3777e58915b83726
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Connects to several IPs in different countries
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 9cf2c56e_by_Libranalysis.exe (PID: 5732 cmdline: 'C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe' MD5: 9CF2C56EF2D9ED4C679013369C6BF4C0)
    • aeevts.exe (PID: 6096 cmdline: C:\Windows\SysWOW64\aeevts\aeevts.exe MD5: 9CF2C56EF2D9ED4C679013369C6BF4C0)
  • svchost.exe (PID: 6012 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3360 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1288 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5448 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4936 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5980 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2416 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1260 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 2000 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 1048 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 6220 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 6244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6528 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["47.148.241.179:80", "24.204.47.87:80", "80.86.91.91:8080", "104.236.28.47:8080", "87.106.136.232:8080", "211.63.71.72:8080", "113.52.123.226:7080", "78.101.70.199:443", "76.86.17.1:80", "222.144.13.169:80", "47.155.214.239:80", "181.143.126.170:80", "169.239.182.217:8080", "181.126.70.117:80", "209.137.209.84:443", "207.177.72.129:8080", "37.139.21.175:8080", "149.202.153.252:8080", "108.6.170.195:80", "37.187.72.193:8080", "190.220.19.82:443", "206.81.10.215:8080", "92.222.216.44:8080", "104.131.44.150:8080", "103.86.49.11:8080", "78.186.5.109:443", "62.75.187.192:8080", "76.104.80.47:80", "176.9.43.37:8080", "31.172.240.91:8080", "66.34.201.20:7080", "125.207.127.86:80", "85.152.174.56:80", "78.189.180.107:80", "23.92.16.164:8080", "178.153.176.124:80", "74.208.45.104:8080", "177.239.160.121:80", "47.156.70.145:80", "217.160.182.191:8080", "223.197.185.60:80", "95.213.236.64:8080", "190.143.39.231:80", "173.73.87.96:80", "46.105.131.87:80", "93.147.141.5:443", "105.27.155.182:80", "209.146.22.34:443", "174.53.195.88:80", "59.20.65.102:80", "205.185.117.108:8080", "200.21.90.5:443", "5.32.55.214:80", "95.128.43.213:8080", "108.191.2.72:80", "105.247.123.133:8080", "178.20.74.212:80", "101.100.137.135:80", "210.6.85.121:80", "50.116.86.205:8080", "70.180.35.211:80", "162.241.92.219:8080", "5.196.74.210:8080", "201.173.217.124:443", "91.242.136.103:80", "45.33.49.124:443", "59.103.164.174:80", "47.6.15.79:80", "201.184.105.242:443", "71.222.233.135:443", "24.105.202.216:443", "76.104.80.47:443", "188.0.135.237:80", "60.231.217.199:8080", "31.31.77.83:443", "190.12.119.180:443", "62.138.26.28:8080", "47.153.183.211:80", "71.126.247.90:80", "189.212.199.126:443", "200.116.145.225:443", "139.130.241.252:443", "90.69.145.210:8080", "75.114.235.105:80", "74.130.83.133:80", "24.164.79.147:8080", "190.114.244.182:443", "180.92.239.110:8080", "108.190.109.107:80", "181.13.24.82:80", "74.108.124.180:80", "209.141.54.221:8080", "110.36.217.66:8080", "174.83.116.77:80", "47.155.214.239:443", "85.105.205.77:8080", "179.13.185.19:80", "139.130.242.43:80", "160.16.215.66:8080", "45.55.65.123:8080", "41.60.200.34:80", "88.249.120.205:80", "98.239.119.52:80", "2.237.76.249:80", "87.106.139.101:8080", "121.88.5.176:443", "120.150.246.241:80", "190.146.205.227:8080", "195.244.215.206:80", "68.114.229.171:80", "46.105.131.69:443", "104.236.246.93:8080", "110.44.113.2:80", "60.250.78.22:443", "70.184.9.39:8080", "209.97.168.52:8080", "47.26.155.17:80", "101.187.197.33:443", "115.65.111.148:443", "98.156.206.153:80", "70.127.155.33:80", "65.184.222.119:80", "152.168.248.128:443"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.217998392.00000000022E1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000000.00000002.217998392.00000000022E1000.00000020.00000001.sdmpWin32_Trojan_EmotetunknownReversingLabs
    • 0x1c00:$decrypt_resource_v2: 55 8B EC 83 EC 0C 8B 41 04 8B 11 33 C2 53 56 8D 71 04 89 55 FC 8D 58 01 89 45 F8 83 C6 04 F6 C3 ...
    • 0x6cf0:$generate_filename_v2: 55 8B EC 81 EC 08 02 00 00 8D 85 F8 FD FF FF 50 6A 00 6A 00 51 6A 00 B9 FC C9 F7 A6 E8 2F B9 FF ...
    00000004.00000002.471904242.0000000000AE1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000004.00000002.471904242.0000000000AE1000.00000020.00000001.sdmpWin32_Trojan_EmotetunknownReversingLabs
      • 0x1c00:$decrypt_resource_v2: 55 8B EC 83 EC 0C 8B 41 04 8B 11 33 C2 53 56 8D 71 04 89 55 FC 8D 58 01 89 45 F8 83 C6 04 F6 C3 ...
      • 0x6cf0:$generate_filename_v2: 55 8B EC 81 EC 08 02 00 00 8D 85 F8 FD FF FF 50 6A 00 6A 00 51 6A 00 B9 FC C9 F7 A6 E8 2F B9 FF ...
      00000000.00000002.217986642.00000000022D0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        Click to see the 3 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.aeevts.exe.ad053f.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
          4.2.aeevts.exe.ad053f.1.unpackWin32_Trojan_EmotetunknownReversingLabs
          • 0x1400:$decrypt_resource_v2: 55 8B EC 83 EC 0C 8B 41 04 8B 11 33 C2 53 56 8D 71 04 89 55 FC 8D 58 01 89 45 F8 83 C6 04 F6 C3 ...
          • 0x64f0:$generate_filename_v2: 55 8B EC 81 EC 08 02 00 00 8D 85 F8 FD FF FF 50 6A 00 6A 00 51 6A 00 B9 FC C9 F7 A6 E8 2F B9 FF ...
          0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
            0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.unpackWin32_Trojan_EmotetunknownReversingLabs
            • 0x1400:$decrypt_resource_v2: 55 8B EC 83 EC 0C 8B 41 04 8B 11 33 C2 53 56 8D 71 04 89 55 FC 8D 58 01 89 45 F8 83 C6 04 F6 C3 ...
            • 0x64f0:$generate_filename_v2: 55 8B EC 81 EC 08 02 00 00 8D 85 F8 FD FF FF 50 6A 00 6A 00 51 6A 00 B9 FC C9 F7 A6 E8 2F B9 FF ...
            4.2.aeevts.exe.ad053f.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              Click to see the 3 entries

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: 9cf2c56e_by_Libranalysis.exeAvira: detected
              Found malware configurationShow sources
              Source: 0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.unpackMalware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["47.148.241.179:80", "24.204.47.87:80", "80.86.91.91:8080", "104.236.28.47:8080", "87.106.136.232:8080", "211.63.71.72:8080", "113.52.123.226:7080", "78.101.70.199:443", "76.86.17.1:80", "222.144.13.169:80", "47.155.214.239:80", "181.143.126.170:80", "169.239.182.217:8080", "181.126.70.117:80", "209.137.209.84:443", "207.177.72.129:8080", "37.139.21.175:8080", "149.202.153.252:8080", "108.6.170.195:80", "37.187.72.193:8080", "190.220.19.82:443", "206.81.10.215:8080", "92.222.216.44:8080", "104.131.44.150:8080", "103.86.49.11:8080", "78.186.5.109:443", "62.75.187.192:8080", "76.104.80.47:80", "176.9.43.37:8080", "31.172.240.91:8080", "66.34.201.20:7080", "125.207.127.86:80", "85.152.174.56:80", "78.189.180.107:80", "23.92.16.164:8080", "178.153.176.124:80", "74.208.45.104:8080", "177.239.160.121:80", "47.156.70.145:80", "217.160.182.191:8080", "223.197.185.60:80", "95.213.236.64:8080", "190.143.39.231:80", "173.73.87.96:80", "46.105.131.87:80", "93.147.141.5:443", "105.27.155.182:80", "209.146.22.34:443", "174.53.195.88:80", "59.20.65.102:80", "205.185.117.108:8080", "200.21.90.5:443", "5.32.55.214:80", "95.128.43.213:8080", "108.191.2.72:80", "105.247.123.133:8080", "178.20.74.212:80", "101.100.137.135:80", "210.6.85.121:80", "50.116.86.205:8080", "70.180.35.211:80", "162.241.92.219:8080", "5.196.74.210:8080", "201.173.217.124:443", "91.242.136.103:80", "45.33.49.124:443", "59.103.164.174:80", "47.6.15.79:80", "201.184.105.242:443", "71.222.233.135:443", "24.105.202.216:443", "76.104.80.47:443", "188.0.135.237:80", "60.231.217.199:8080", "31.31.77.83:443", "190.12.119.180:443", "62.138.26.28:8080", "47.153.183.211:80", "71.126.247.90:80", "189.212.199.126:443", "200.116.145.225:443", "139.130.241.252:443", "90.69.145.210:8080", "75.114.235.105:80", "74.130.83.133:80", "24.164.79.147:8080", "190.114.244.182:443", "180.92.239.110:8080", "108.190.109.107:80", "181.13.24.82:80", "74.108.124.180:80", "209.141.54.221:8080", "110.36.217.66:8080", "174.83.116.77:80", "47.155.214.239:443", "85.105.205.77:8080", "179.13.185.19:80", "139.130.242.43:80", "160.16.215.66:8080", "45.55.65.123:8080", "41.60.200.34:80", "88.249.120.205:80", "98.239.119.52:80", "2.237.76.249:80", "87.106.139.101:8080", "121.88.5.176:443", "120.150.246.241:80", "190.146.205.227:8080", "195.244.215.206:80", "68.114.229.171:80", "46.105.131.69:443", "104.236.246.93:8080", "110.44.113.2:80", "60.250.78.22:443", "70.184.9.39:8080", "209.97.168.52:8080", "47.26.155.17:80", "101.187.197.33:443", "115.65.111.148:443", "98.156.206.153:80", "70.127.155.33:80", "65.184.222.119:80", "152.168.248.128:443"]}
              Multi AV Scanner detection for submitted fileShow sources
              Source: 9cf2c56e_by_Libranalysis.exeReversingLabs: Detection: 76%
              Source: 9cf2c56e_by_Libranalysis.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
              Source: Binary string: c:\Users\User\Desktop\2005\7.2.20\ObjectInspector_demo\Release\ObjectInspectorTest.pdb source: 9cf2c56e_by_Libranalysis.exe, aeevts.exe
              Source: Binary string: c:\Users\User\Desktop\2005\7.2.20\ObjectInspector_demo\Release\ObjectInspectorTest.pdb@K,CJ source: 9cf2c56e_by_Libranalysis.exe, 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, aeevts.exe, 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_0045436A lstrlen,FindFirstFileA,FindClose,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_0044533D __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlen,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0045436A lstrlen,FindFirstFileA,FindClose,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0044533D __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlen,

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 211.63.71.72: -> 192.168.2.3:
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorIPs: 47.148.241.179:80
              Source: Malware configuration extractorIPs: 24.204.47.87:80
              Source: Malware configuration extractorIPs: 80.86.91.91:8080
              Source: Malware configuration extractorIPs: 104.236.28.47:8080
              Source: Malware configuration extractorIPs: 87.106.136.232:8080
              Source: Malware configuration extractorIPs: 211.63.71.72:8080
              Source: Malware configuration extractorIPs: 113.52.123.226:7080
              Source: Malware configuration extractorIPs: 78.101.70.199:443
              Source: Malware configuration extractorIPs: 76.86.17.1:80
              Source: Malware configuration extractorIPs: 222.144.13.169:80
              Source: Malware configuration extractorIPs: 47.155.214.239:80
              Source: Malware configuration extractorIPs: 181.143.126.170:80
              Source: Malware configuration extractorIPs: 169.239.182.217:8080
              Source: Malware configuration extractorIPs: 181.126.70.117:80
              Source: Malware configuration extractorIPs: 209.137.209.84:443
              Source: Malware configuration extractorIPs: 207.177.72.129:8080
              Source: Malware configuration extractorIPs: 37.139.21.175:8080
              Source: Malware configuration extractorIPs: 149.202.153.252:8080
              Source: Malware configuration extractorIPs: 108.6.170.195:80
              Source: Malware configuration extractorIPs: 37.187.72.193:8080
              Source: Malware configuration extractorIPs: 190.220.19.82:443
              Source: Malware configuration extractorIPs: 206.81.10.215:8080
              Source: Malware configuration extractorIPs: 92.222.216.44:8080
              Source: Malware configuration extractorIPs: 104.131.44.150:8080
              Source: Malware configuration extractorIPs: 103.86.49.11:8080
              Source: Malware configuration extractorIPs: 78.186.5.109:443
              Source: Malware configuration extractorIPs: 62.75.187.192:8080
              Source: Malware configuration extractorIPs: 76.104.80.47:80
              Source: Malware configuration extractorIPs: 176.9.43.37:8080
              Source: Malware configuration extractorIPs: 31.172.240.91:8080
              Source: Malware configuration extractorIPs: 66.34.201.20:7080
              Source: Malware configuration extractorIPs: 125.207.127.86:80
              Source: Malware configuration extractorIPs: 85.152.174.56:80
              Source: Malware configuration extractorIPs: 78.189.180.107:80
              Source: Malware configuration extractorIPs: 23.92.16.164:8080
              Source: Malware configuration extractorIPs: 178.153.176.124:80
              Source: Malware configuration extractorIPs: 74.208.45.104:8080
              Source: Malware configuration extractorIPs: 177.239.160.121:80
              Source: Malware configuration extractorIPs: 47.156.70.145:80
              Source: Malware configuration extractorIPs: 217.160.182.191:8080
              Source: Malware configuration extractorIPs: 223.197.185.60:80
              Source: Malware configuration extractorIPs: 95.213.236.64:8080
              Source: Malware configuration extractorIPs: 190.143.39.231:80
              Source: Malware configuration extractorIPs: 173.73.87.96:80
              Source: Malware configuration extractorIPs: 46.105.131.87:80
              Source: Malware configuration extractorIPs: 93.147.141.5:443
              Source: Malware configuration extractorIPs: 105.27.155.182:80
              Source: Malware configuration extractorIPs: 209.146.22.34:443
              Source: Malware configuration extractorIPs: 174.53.195.88:80
              Source: Malware configuration extractorIPs: 59.20.65.102:80
              Source: Malware configuration extractorIPs: 205.185.117.108:8080
              Source: Malware configuration extractorIPs: 200.21.90.5:443
              Source: Malware configuration extractorIPs: 5.32.55.214:80
              Source: Malware configuration extractorIPs: 95.128.43.213:8080
              Source: Malware configuration extractorIPs: 108.191.2.72:80
              Source: Malware configuration extractorIPs: 105.247.123.133:8080
              Source: Malware configuration extractorIPs: 178.20.74.212:80
              Source: Malware configuration extractorIPs: 101.100.137.135:80
              Source: Malware configuration extractorIPs: 210.6.85.121:80
              Source: Malware configuration extractorIPs: 50.116.86.205:8080
              Source: Malware configuration extractorIPs: 70.180.35.211:80
              Source: Malware configuration extractorIPs: 162.241.92.219:8080
              Source: Malware configuration extractorIPs: 5.196.74.210:8080
              Source: Malware configuration extractorIPs: 201.173.217.124:443
              Source: Malware configuration extractorIPs: 91.242.136.103:80
              Source: Malware configuration extractorIPs: 45.33.49.124:443
              Source: Malware configuration extractorIPs: 59.103.164.174:80
              Source: Malware configuration extractorIPs: 47.6.15.79:80
              Source: Malware configuration extractorIPs: 201.184.105.242:443
              Source: Malware configuration extractorIPs: 71.222.233.135:443
              Source: Malware configuration extractorIPs: 24.105.202.216:443
              Source: Malware configuration extractorIPs: 76.104.80.47:443
              Source: Malware configuration extractorIPs: 188.0.135.237:80
              Source: Malware configuration extractorIPs: 60.231.217.199:8080
              Source: Malware configuration extractorIPs: 31.31.77.83:443
              Source: Malware configuration extractorIPs: 190.12.119.180:443
              Source: Malware configuration extractorIPs: 62.138.26.28:8080
              Source: Malware configuration extractorIPs: 47.153.183.211:80
              Source: Malware configuration extractorIPs: 71.126.247.90:80
              Source: Malware configuration extractorIPs: 189.212.199.126:443
              Source: Malware configuration extractorIPs: 200.116.145.225:443
              Source: Malware configuration extractorIPs: 139.130.241.252:443
              Source: Malware configuration extractorIPs: 90.69.145.210:8080
              Source: Malware configuration extractorIPs: 75.114.235.105:80
              Source: Malware configuration extractorIPs: 74.130.83.133:80
              Source: Malware configuration extractorIPs: 24.164.79.147:8080
              Source: Malware configuration extractorIPs: 190.114.244.182:443
              Source: Malware configuration extractorIPs: 180.92.239.110:8080
              Source: Malware configuration extractorIPs: 108.190.109.107:80
              Source: Malware configuration extractorIPs: 181.13.24.82:80
              Source: Malware configuration extractorIPs: 74.108.124.180:80
              Source: Malware configuration extractorIPs: 209.141.54.221:8080
              Source: Malware configuration extractorIPs: 110.36.217.66:8080
              Source: Malware configuration extractorIPs: 174.83.116.77:80
              Source: Malware configuration extractorIPs: 47.155.214.239:443
              Source: Malware configuration extractorIPs: 85.105.205.77:8080
              Source: Malware configuration extractorIPs: 179.13.185.19:80
              Source: Malware configuration extractorIPs: 139.130.242.43:80
              Source: Malware configuration extractorIPs: 160.16.215.66:8080
              Source: Malware configuration extractorIPs: 45.55.65.123:8080
              Source: Malware configuration extractorIPs: 41.60.200.34:80
              Source: Malware configuration extractorIPs: 88.249.120.205:80
              Source: Malware configuration extractorIPs: 98.239.119.52:80
              Source: Malware configuration extractorIPs: 2.237.76.249:80
              Source: Malware configuration extractorIPs: 87.106.139.101:8080
              Source: Malware configuration extractorIPs: 121.88.5.176:443
              Source: Malware configuration extractorIPs: 120.150.246.241:80
              Source: Malware configuration extractorIPs: 190.146.205.227:8080
              Source: Malware configuration extractorIPs: 195.244.215.206:80
              Source: Malware configuration extractorIPs: 68.114.229.171:80
              Source: Malware configuration extractorIPs: 46.105.131.69:443
              Source: Malware configuration extractorIPs: 104.236.246.93:8080
              Source: Malware configuration extractorIPs: 110.44.113.2:80
              Source: Malware configuration extractorIPs: 60.250.78.22:443
              Source: Malware configuration extractorIPs: 70.184.9.39:8080
              Source: Malware configuration extractorIPs: 209.97.168.52:8080
              Source: Malware configuration extractorIPs: 47.26.155.17:80
              Source: Malware configuration extractorIPs: 101.187.197.33:443
              Source: Malware configuration extractorIPs: 115.65.111.148:443
              Source: Malware configuration extractorIPs: 98.156.206.153:80
              Source: Malware configuration extractorIPs: 70.127.155.33:80
              Source: Malware configuration extractorIPs: 65.184.222.119:80
              Source: Malware configuration extractorIPs: 152.168.248.128:443
              Source: unknownNetwork traffic detected: IP country count 28
              Source: global trafficTCP traffic: 192.168.2.3:49729 -> 80.86.91.91:8080
              Source: global trafficTCP traffic: 192.168.2.3:49731 -> 104.236.28.47:8080
              Source: global trafficTCP traffic: 192.168.2.3:49732 -> 87.106.136.232:8080
              Source: global trafficTCP traffic: 192.168.2.3:49733 -> 211.63.71.72:8080
              Source: global trafficTCP traffic: 192.168.2.3:49742 -> 113.52.123.226:7080
              Source: Joe Sandbox ViewIP Address: 71.126.247.90 71.126.247.90
              Source: Joe Sandbox ViewASN Name: VODAFONE-IT-ASNIT VODAFONE-IT-ASNIT
              Source: Joe Sandbox ViewASN Name: ASN-TELSTRATelstraCorporationLtdAU ASN-TELSTRATelstraCorporationLtdAU
              Source: global trafficTCP traffic: 192.168.2.3:49720 -> 47.148.241.179:80
              Source: global trafficTCP traffic: 192.168.2.3:49726 -> 24.204.47.87:80
              Source: global trafficTCP traffic: 192.168.2.3:49745 -> 78.101.70.199:443
              Source: unknownTCP traffic detected without corresponding DNS query: 47.148.241.179
              Source: unknownTCP traffic detected without corresponding DNS query: 47.148.241.179
              Source: unknownTCP traffic detected without corresponding DNS query: 47.148.241.179
              Source: unknownTCP traffic detected without corresponding DNS query: 24.204.47.87
              Source: unknownTCP traffic detected without corresponding DNS query: 24.204.47.87
              Source: unknownTCP traffic detected without corresponding DNS query: 24.204.47.87
              Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.91
              Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.91
              Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.91
              Source: unknownTCP traffic detected without corresponding DNS query: 104.236.28.47
              Source: unknownTCP traffic detected without corresponding DNS query: 104.236.28.47
              Source: unknownTCP traffic detected without corresponding DNS query: 104.236.28.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.106.136.232
              Source: unknownTCP traffic detected without corresponding DNS query: 87.106.136.232
              Source: unknownTCP traffic detected without corresponding DNS query: 87.106.136.232
              Source: unknownTCP traffic detected without corresponding DNS query: 211.63.71.72
              Source: unknownTCP traffic detected without corresponding DNS query: 211.63.71.72
              Source: unknownTCP traffic detected without corresponding DNS query: 211.63.71.72
              Source: unknownTCP traffic detected without corresponding DNS query: 113.52.123.226
              Source: unknownTCP traffic detected without corresponding DNS query: 113.52.123.226
              Source: unknownTCP traffic detected without corresponding DNS query: 113.52.123.226
              Source: unknownTCP traffic detected without corresponding DNS query: 78.101.70.199
              Source: unknownTCP traffic detected without corresponding DNS query: 78.101.70.199
              Source: unknownTCP traffic detected without corresponding DNS query: 78.101.70.199
              Source: aeevts.exe, 00000004.00000002.470575098.0000000000199000.00000004.00000001.sdmpString found in binary or memory: http://78.101.70.199/JlOLE9Q3Bv6/9lTzvPK2t/FRV4HWXYeBl1GdoIO8O/2aKa/
              Source: svchost.exe, 00000007.00000002.475298493.00000235C3C12000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
              Source: svchost.exe, 00000007.00000002.475298493.00000235C3C12000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
              Source: svchost.exe, 00000007.00000002.475253020.00000235C3C00000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
              Source: svchost.exe, 00000007.00000002.474499079.00000235C3A70000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
              Source: svchost.exe, 00000007.00000002.471916171.00000235BE4AE000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enum
              Source: svchost.exe, 0000000E.00000002.309936623.0000018A54024000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
              Source: svchost.exe, 0000000B.00000002.470888059.0000013D5AC3D000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
              Source: svchost.exe, 0000000B.00000002.470888059.0000013D5AC3D000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
              Source: svchost.exe, 0000000B.00000002.470888059.0000013D5AC3D000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
              Source: svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
              Source: svchost.exe, 0000000B.00000002.470888059.0000013D5AC3D000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
              Source: svchost.exe, 0000000B.00000002.470888059.0000013D5AC3D000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
              Source: svchost.exe, 0000000E.00000003.309715871.0000018A54049000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
              Source: svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
              Source: svchost.exe, 0000000E.00000002.309964862.0000018A5403D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
              Source: svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
              Source: svchost.exe, 0000000E.00000002.309989689.0000018A54052000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
              Source: svchost.exe, 0000000E.00000002.309964862.0000018A5403D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
              Source: svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
              Source: svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
              Source: svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
              Source: svchost.exe, 0000000E.00000002.309978521.0000018A54042000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
              Source: svchost.exe, 0000000E.00000002.309978521.0000018A54042000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
              Source: svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
              Source: svchost.exe, 0000000E.00000002.309998266.0000018A5405C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
              Source: svchost.exe, 0000000E.00000003.309715871.0000018A54049000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
              Source: svchost.exe, 0000000E.00000002.309998266.0000018A5405C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
              Source: svchost.exe, 0000000E.00000002.309998266.0000018A5405C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
              Source: svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.309715871.0000018A54049000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
              Source: svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
              Source: svchost.exe, 0000000E.00000002.309964862.0000018A5403D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
              Source: svchost.exe, 0000000E.00000003.287944833.0000018A54031000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
              Source: svchost.exe, 0000000E.00000002.309964862.0000018A5403D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
              Source: svchost.exe, 0000000E.00000002.309964862.0000018A5403D000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.309936623.0000018A54024000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
              Source: svchost.exe, 0000000E.00000003.309750492.0000018A54040000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
              Source: svchost.exe, 0000000E.00000003.309750492.0000018A54040000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
              Source: svchost.exe, 0000000E.00000003.287944833.0000018A54031000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
              Source: svchost.exe, 0000000E.00000002.309958796.0000018A5403A000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
              Source: svchost.exe, 0000000E.00000002.309989689.0000018A54052000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
              Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0040A270 GetClientRect,DNameNode::DNameNode,IsWindowVisible,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,BitBlt,ReleaseDC,GetSysColor,CreateRectRgn,IsWindowVisible,BitBlt,InvalidateRect,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_0043824F GetKeyState,GetKeyState,GetKeyState,GetKeyState,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_004287DB GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_00460A0B ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_004119D0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_00411CB0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0043824F GetKeyState,GetKeyState,GetKeyState,GetKeyState,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_004287DB GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00460A0B ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_004119D0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00411CB0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00452CFD GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00433411 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0045F6EB GetKeyState,GetKeyState,GetKeyState,

              E-Banking Fraud:

              barindex
              Yara detected EmotetShow sources
              Source: Yara matchFile source: 00000000.00000002.217998392.00000000022E1000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.471904242.0000000000AE1000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.217986642.00000000022D0000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.471824961.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 4.2.aeevts.exe.ad053f.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.aeevts.exe.ad053f.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.raw.unpack, type: UNPACKEDPE

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000000.00000002.217998392.00000000022E1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
              Source: 00000004.00000002.471904242.0000000000AE1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
              Source: 00000000.00000002.217986642.00000000022D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
              Source: 00000004.00000002.471824961.0000000000AD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
              Source: 4.2.aeevts.exe.ad053f.1.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
              Source: 0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
              Source: 4.2.aeevts.exe.ad053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
              Source: 0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_00460294 NtdllDefWindowProc_A,GetWindowRect,SetRect,InvalidateRect,SetRect,InvalidateRect,SetRect,SetRect,InvalidateRect,SetRect,InvalidateRect,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_00428BEF NtdllDefWindowProc_A,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_00425BDB NtdllDefWindowProc_A,CallWindowProcA,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00460294 NtdllDefWindowProc_A,GetWindowRect,SetRect,InvalidateRect,SetRect,InvalidateRect,SetRect,SetRect,InvalidateRect,SetRect,InvalidateRect,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00428BEF NtdllDefWindowProc_A,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00425BDB NtdllDefWindowProc_A,CallWindowProcA,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0042B3CC __snprintf_s,__snprintf_s,NtdllDefWindowProc_A,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00407480 _strlen,_strlen,GetSysColor,GetClassInfoA,NtdllDefWindowProc_A,LoadCursorA,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0042B625 _memset,NtdllDefWindowProc_A,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeFile created: C:\Windows\SysWOW64\aeevts\Jump to behavior
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeFile deleted: C:\Windows\SysWOW64\aeevts\aeevts.exe:Zone.IdentifierJump to behavior
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_004680CB
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_0048813B
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_00464300
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_004684EB
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_00484AEB
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_00470DCA
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_00481104
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_0048926D
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_0047D4B8
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_0048623B
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_0047238D
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_004680CB
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0048813B
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00464300
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_004684EB
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00484AEB
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00470DCA
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00481104
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0048926D
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0047D4B8
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0048623B
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0047238D
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00486428
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00476650
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00482685
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0042A732
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0047A995
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0047AAAB
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00482BAE
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0046F038
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_004830F0
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0046F2AC
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00467418
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0046F5B6
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_004678EB
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_004839C8
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00467CBF
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: String function: 00432A34 appears 36 times
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: String function: 00465868 appears 52 times
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: String function: 004737C0 appears 42 times
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: String function: 00436E97 appears 60 times
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: String function: 00465835 appears 270 times
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: String function: 00465A70 appears 91 times
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: String function: 00436E97 appears 38 times
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: String function: 00465835 appears 133 times
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: String function: 00465A70 appears 60 times
              Source: 9cf2c56e_by_Libranalysis.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: 9cf2c56e_by_Libranalysis.exe, 00000000.00000002.218431401.0000000002C60000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 9cf2c56e_by_Libranalysis.exe
              Source: 9cf2c56e_by_Libranalysis.exe, 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameIt's unfortunate that Democrats whomz- vs 9cf2c56e_by_Libranalysis.exe
              Source: 9cf2c56e_by_Libranalysis.exe, 00000000.00000002.218551333.0000000002D60000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 9cf2c56e_by_Libranalysis.exe
              Source: 9cf2c56e_by_Libranalysis.exe, 00000000.00000002.218551333.0000000002D60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 9cf2c56e_by_Libranalysis.exe
              Source: 9cf2c56e_by_Libranalysis.exeBinary or memory string: OriginalFilenameIt's unfortunate that Democrats whomz- vs 9cf2c56e_by_Libranalysis.exe
              Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
              Source: 9cf2c56e_by_Libranalysis.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
              Source: 00000000.00000002.217998392.00000000022E1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
              Source: 00000004.00000002.471904242.0000000000AE1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
              Source: 00000000.00000002.217986642.00000000022D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
              Source: 00000004.00000002.471824961.0000000000AD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
              Source: 4.2.aeevts.exe.ad053f.1.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
              Source: 0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
              Source: 4.2.aeevts.exe.ad053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
              Source: 0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
              Source: classification engineClassification label: mal100.troj.evad.winEXE@17/8@0/100
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_004204F0 FindResourceA,VirtualAllocExNuma,
              Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etlJump to behavior
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeMutant created: \Sessions\1\BaseNamedObjects\Global\IA8CD3455
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6244:120:WilError_01
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeMutant created: \Sessions\1\BaseNamedObjects\Global\MA8CD3455
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: 9cf2c56e_by_Libranalysis.exeReversingLabs: Detection: 76%
              Source: unknownProcess created: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe 'C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe'
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeProcess created: C:\Windows\SysWOW64\aeevts\aeevts.exe C:\Windows\SysWOW64\aeevts\aeevts.exe
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
              Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
              Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
              Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
              Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
              Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeProcess created: C:\Windows\SysWOW64\aeevts\aeevts.exe C:\Windows\SysWOW64\aeevts\aeevts.exe
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
              Source: Binary string: c:\Users\User\Desktop\2005\7.2.20\ObjectInspector_demo\Release\ObjectInspectorTest.pdb source: 9cf2c56e_by_Libranalysis.exe, aeevts.exe
              Source: Binary string: c:\Users\User\Desktop\2005\7.2.20\ObjectInspector_demo\Release\ObjectInspectorTest.pdb@K,CJ source: 9cf2c56e_by_Libranalysis.exe, 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, aeevts.exe, 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_00485724 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_0046590D push ecx; ret
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_00465AB5 push ecx; ret
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0046590D push ecx; ret
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00465AB5 push ecx; ret
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1

              Persistence and Installation Behavior:

              barindex
              Drops executables to the windows directory (C:\Windows) and starts themShow sources
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeExecutable created and started: C:\Windows\SysWOW64\aeevts\aeevts.exe
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exePE file moved: C:\Windows\SysWOW64\aeevts\aeevts.exeJump to behavior

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeFile opened: C:\Windows\SysWOW64\aeevts\aeevts.exe:Zone.Identifier read attributes | delete
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_004441D1 __EH_prolog3,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_00425251 IsIconic,GetWindowPlacement,GetWindowRect,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_004441D1 __EH_prolog3,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00425251 IsIconic,GetWindowPlacement,GetWindowRect,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_004226C0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00452DBF IsWindowVisible,IsIconic,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: C:\Windows\System32\svchost.exe TID: 5376Thread sleep time: -30000s >= -30000s
              Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_0045436A lstrlen,FindFirstFileA,FindClose,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_0044533D __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlen,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0045436A lstrlen,FindFirstFileA,FindClose,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0044533D __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlen,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_00464ED6 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect,
              Source: svchost.exe, 00000007.00000002.475482424.00000235C3C64000.00000004.00000001.sdmpBinary or memory string: "@Hyper-V RAW
              Source: svchost.exe, 00000005.00000002.239794997.00000220A6060000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.302007455.0000021DAF460000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.473348948.0000013D5B940000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.336408447.000001D019340000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: svchost.exe, 00000007.00000002.475423789.00000235C3C4E000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
              Source: svchost.exe, 0000000A.00000002.471164998.0000023FDCC02000.00000004.00000001.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
              Source: svchost.exe, 00000005.00000002.239794997.00000220A6060000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.302007455.0000021DAF460000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.473348948.0000013D5B940000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.336408447.000001D019340000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: svchost.exe, 00000005.00000002.239794997.00000220A6060000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.302007455.0000021DAF460000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.473348948.0000013D5B940000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.336408447.000001D019340000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: svchost.exe, 0000000A.00000002.471272556.0000023FDCC3C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.470888059.0000013D5AC3D000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.471232005.0000020490229000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: svchost.exe, 00000005.00000002.239794997.00000220A6060000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.302007455.0000021DAF460000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.473348948.0000013D5B940000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.336408447.000001D019340000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeProcess information queried: ProcessInformation
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_004637C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_00485724 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_00411960 mov eax, dword ptr fs:[00000030h]
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00411960 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_0046564B GetStartupInfoA,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__amsg_exit,__setenvp,__amsg_exit,__cinit,__amsg_exit,__wincmdln,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_00470940 __decode_pointer,SetUnhandledExceptionFilter,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_0047091E SetUnhandledExceptionFilter,__encode_pointer,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_00475619 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00470940 __decode_pointer,SetUnhandledExceptionFilter,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0047091E SetUnhandledExceptionFilter,__encode_pointer,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00475619 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_004637C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_004639FB _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
              Source: aeevts.exe, 00000004.00000002.472010147.0000000000ED0000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.471273712.000002DB4C860000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: aeevts.exe, 00000004.00000002.472010147.0000000000ED0000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.471273712.000002DB4C860000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: aeevts.exe, 00000004.00000002.472010147.0000000000ED0000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.471273712.000002DB4C860000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: aeevts.exe, 00000004.00000002.472010147.0000000000ED0000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.471273712.000002DB4C860000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_004848E2 cpuid
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: GetLocaleInfoA,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoA,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,_malloc,GetLocaleInfoA,MultiByteToWideChar,__freea,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoW_stat,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: GetLocaleInfoA,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: _LcidFromHexString,GetLocaleInfoA,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: _LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: _strlen,EnumSystemLocalesA,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: GetLocaleInfoA,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoA,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,_malloc,GetLocaleInfoA,MultiByteToWideChar,__freea,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoW_stat,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: GetLocaleInfoA,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: _LcidFromHexString,GetLocaleInfoA,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: _LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: _strlen,EnumSystemLocalesA,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_0047549F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_004788A8 __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_004501B1 __EH_prolog3_GS,_memset,GetVersionExA,_malloc,_memset,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Lowering of HIPS / PFW / Operating System Security Settings:

              barindex
              Changes security center settings (notifications, updates, antivirus, firewall)Show sources
              Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
              Source: svchost.exe, 00000010.00000002.471490786.000002581C83D000.00000004.00000001.sdmpBinary or memory string: @V%ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: svchost.exe, 00000010.00000002.471637433.000002581C902000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

              Stealing of Sensitive Information:

              barindex
              Yara detected EmotetShow sources
              Source: Yara matchFile source: 00000000.00000002.217998392.00000000022E1000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.471904242.0000000000AE1000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.217986642.00000000022D0000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.471824961.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 4.2.aeevts.exe.ad053f.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.aeevts.exe.ad053f.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.raw.unpack, type: UNPACKEDPE
              Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exeCode function: 0_2_00431760 CreateBindCtx,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_00431760 CreateBindCtx,
              Source: C:\Windows\SysWOW64\aeevts\aeevts.exeCode function: 4_2_0043255B __EH_prolog3_GS,lstrlenW,__snprintf_s,CreateBindCtx,

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation1DLL Side-Loading1Process Injection2Masquerading121Input Capture1System Time Discovery2Remote ServicesScreen Capture1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsNative API1Boot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemorySecurity Software Discovery61Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion3Security Account ManagerVirtualization/Sandbox Evasion3SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationApplication Layer Protocol11Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection2NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information21DCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing1Proc FilesystemSystem Information Discovery46Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)DLL Side-Loading1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
              Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)File Deletion1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              9cf2c56e_by_Libranalysis.exe77%ReversingLabsWin32.Trojan.Emotet
              9cf2c56e_by_Libranalysis.exe100%AviraHEUR/AGEN.1125826

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              0.0.9cf2c56e_by_Libranalysis.exe.400000.0.unpack100%AviraHEUR/AGEN.1127351Download File
              0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              4.2.aeevts.exe.ad053f.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              4.0.aeevts.exe.400000.0.unpack100%AviraHEUR/AGEN.1127351Download File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://%s.xboxlive.com0%URL Reputationsafe
              https://%s.xboxlive.com0%URL Reputationsafe
              https://%s.xboxlive.com0%URL Reputationsafe
              https://%s.xboxlive.com0%URL Reputationsafe
              http://78.101.70.199/JlOLE9Q3Bv6/9lTzvPK2t/FRV4HWXYeBl1GdoIO8O/2aKa/0%Avira URL Cloudsafe
              https://dynamic.t0%URL Reputationsafe
              https://dynamic.t0%URL Reputationsafe
              https://dynamic.t0%URL Reputationsafe
              https://dynamic.t0%URL Reputationsafe
              https://%s.dnet.xboxlive.com0%URL Reputationsafe
              https://%s.dnet.xboxlive.com0%URL Reputationsafe
              https://%s.dnet.xboxlive.com0%URL Reputationsafe
              https://%s.dnet.xboxlive.com0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmpfalse
                high
                https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 0000000E.00000003.309750492.0000018A54040000.00000004.00000001.sdmpfalse
                  high
                  https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000E.00000002.309964862.0000018A5403D000.00000004.00000001.sdmpfalse
                    high
                    https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmpfalse
                      high
                      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000E.00000002.309964862.0000018A5403D000.00000004.00000001.sdmpfalse
                        high
                        https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 0000000E.00000002.309989689.0000018A54052000.00000004.00000001.sdmpfalse
                          high
                          https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000E.00000002.309964862.0000018A5403D000.00000004.00000001.sdmpfalse
                            high
                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 0000000E.00000003.309750492.0000018A54040000.00000004.00000001.sdmpfalse
                              high
                              https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmpfalse
                                high
                                https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000E.00000002.309998266.0000018A5405C000.00000004.00000001.sdmpfalse
                                  high
                                  http://schemas.xmlsoap.org/ws/2004/09/enumsvchost.exe, 00000007.00000002.471916171.00000235BE4AE000.00000004.00000001.sdmpfalse
                                    high
                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000E.00000002.309964862.0000018A5403D000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.309936623.0000018A54024000.00000004.00000001.sdmpfalse
                                      high
                                      https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 0000000E.00000002.309978521.0000018A54042000.00000004.00000001.sdmpfalse
                                        high
                                        https://%s.xboxlive.comsvchost.exe, 0000000B.00000002.470888059.0000013D5AC3D000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        low
                                        https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000E.00000002.309989689.0000018A54052000.00000004.00000001.sdmpfalse
                                          high
                                          https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000E.00000003.287944833.0000018A54031000.00000004.00000001.sdmpfalse
                                            high
                                            https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmpfalse
                                              high
                                              https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmpfalse
                                                high
                                                https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000E.00000003.309715871.0000018A54049000.00000004.00000001.sdmpfalse
                                                  high
                                                  http://78.101.70.199/JlOLE9Q3Bv6/9lTzvPK2t/FRV4HWXYeBl1GdoIO8O/2aKa/aeevts.exe, 00000004.00000002.470575098.0000000000199000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000000E.00000003.287944833.0000018A54031000.00000004.00000001.sdmpfalse
                                                    high
                                                    https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 0000000E.00000002.309998266.0000018A5405C000.00000004.00000001.sdmpfalse
                                                      high
                                                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.svchost.exe, 00000007.00000002.474499079.00000235C3A70000.00000002.00000001.sdmpfalse
                                                        high
                                                        https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000E.00000002.309978521.0000018A54042000.00000004.00000001.sdmpfalse
                                                          high
                                                          https://dynamic.tsvchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.309715871.0000018A54049000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmpfalse
                                                            high
                                                            https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 0000000E.00000002.309958796.0000018A5403A000.00000004.00000001.sdmpfalse
                                                              high
                                                              https://appexmapsappupdate.blob.core.windows.netsvchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmpfalse
                                                                high
                                                                https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000E.00000002.309998266.0000018A5405C000.00000004.00000001.sdmpfalse
                                                                  high
                                                                  https://activity.windows.comsvchost.exe, 0000000B.00000002.470888059.0000013D5AC3D000.00000004.00000001.sdmpfalse
                                                                    high
                                                                    http://www.bingmapsportal.comsvchost.exe, 0000000E.00000002.309936623.0000018A54024000.00000004.00000001.sdmpfalse
                                                                      high
                                                                      https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmpfalse
                                                                        high
                                                                        https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000E.00000002.309964862.0000018A5403D000.00000004.00000001.sdmpfalse
                                                                          high
                                                                          https://%s.dnet.xboxlive.comsvchost.exe, 0000000B.00000002.470888059.0000013D5AC3D000.00000004.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          low
                                                                          https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000E.00000003.309715871.0000018A54049000.00000004.00000001.sdmpfalse
                                                                            high

                                                                            Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            93.147.141.5
                                                                            unknownItaly
                                                                            30722VODAFONE-IT-ASNITtrue
                                                                            120.150.246.241
                                                                            unknownAustralia
                                                                            1221ASN-TELSTRATelstraCorporationLtdAUtrue
                                                                            210.6.85.121
                                                                            unknownHong Kong
                                                                            9269HKBN-AS-APHongKongBroadbandNetworkLtdHKtrue
                                                                            121.88.5.176
                                                                            unknownKorea Republic of
                                                                            10036CNM-AS-KRDLIVEKRtrue
                                                                            59.103.164.174
                                                                            unknownPakistan
                                                                            45595PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPKtrue
                                                                            71.222.233.135
                                                                            unknownUnited States
                                                                            209CENTURYLINK-US-LEGACY-QWESTUStrue
                                                                            176.9.43.37
                                                                            unknownGermany
                                                                            24940HETZNER-ASDEtrue
                                                                            60.250.78.22
                                                                            unknownTaiwan; Republic of China (ROC)
                                                                            3462HINETDataCommunicationBusinessGroupTWtrue
                                                                            188.0.135.237
                                                                            unknownKazakhstan
                                                                            35104KTC-ASKZtrue
                                                                            71.126.247.90
                                                                            unknownUnited States
                                                                            701UUNETUStrue
                                                                            200.116.145.225
                                                                            unknownColombia
                                                                            13489EPMTelecomunicacionesSAESPCOtrue
                                                                            169.239.182.217
                                                                            unknownSouth Africa
                                                                            37153xneeloZAtrue
                                                                            70.180.35.211
                                                                            unknownUnited States
                                                                            22773ASN-CXA-ALL-CCI-22773-RDCUStrue
                                                                            190.220.19.82
                                                                            unknownArgentina
                                                                            19037AMXArgentinaSAARtrue
                                                                            45.33.49.124
                                                                            unknownUnited States
                                                                            63949LINODE-APLinodeLLCUStrue
                                                                            70.184.9.39
                                                                            unknownUnited States
                                                                            22773ASN-CXA-ALL-CCI-22773-RDCUStrue
                                                                            152.168.248.128
                                                                            unknownArgentina
                                                                            10318TelecomArgentinaSAARtrue
                                                                            190.143.39.231
                                                                            unknownColombia
                                                                            10620TelmexColombiaSACOtrue
                                                                            74.130.83.133
                                                                            unknownUnited States
                                                                            10796TWC-10796-MIDWESTUStrue
                                                                            47.6.15.79
                                                                            unknownUnited States
                                                                            20115CHARTER-20115UStrue
                                                                            173.73.87.96
                                                                            unknownUnited States
                                                                            701UUNETUStrue
                                                                            59.20.65.102
                                                                            unknownKorea Republic of
                                                                            4766KIXS-AS-KRKoreaTelecomKRtrue
                                                                            205.185.117.108
                                                                            unknownUnited States
                                                                            53667PONYNETUStrue
                                                                            139.130.241.252
                                                                            unknownAustralia
                                                                            1221ASN-TELSTRATelstraCorporationLtdAUtrue
                                                                            87.106.139.101
                                                                            unknownGermany
                                                                            8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                                            78.101.70.199
                                                                            unknownQatar
                                                                            42298GCC-MPLS-PEERINGGCCMPLSpeeringQAtrue
                                                                            47.153.183.211
                                                                            unknownUnited States
                                                                            5650FRONTIER-FRTRUStrue
                                                                            91.242.136.103
                                                                            unknownSpain
                                                                            48427VISOVISION-ASEStrue
                                                                            95.128.43.213
                                                                            unknownFrance
                                                                            41653AQUARAYFRtrue
                                                                            46.105.131.69
                                                                            unknownFrance
                                                                            16276OVHFRtrue
                                                                            60.231.217.199
                                                                            unknownAustralia
                                                                            1221ASN-TELSTRATelstraCorporationLtdAUtrue
                                                                            87.106.136.232
                                                                            unknownGermany
                                                                            8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                                            104.131.44.150
                                                                            unknownUnited States
                                                                            14061DIGITALOCEAN-ASNUStrue
                                                                            68.114.229.171
                                                                            unknownUnited States
                                                                            20115CHARTER-20115UStrue
                                                                            24.105.202.216
                                                                            unknownUnited States
                                                                            32953MHCV-AS1UStrue
                                                                            65.184.222.119
                                                                            unknownUnited States
                                                                            11426TWC-11426-CAROLINASUStrue
                                                                            37.139.21.175
                                                                            unknownNetherlands
                                                                            14061DIGITALOCEAN-ASNUStrue
                                                                            217.160.182.191
                                                                            unknownGermany
                                                                            8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                                            92.222.216.44
                                                                            unknownFrance
                                                                            16276OVHFRtrue
                                                                            105.247.123.133
                                                                            unknownSouth Africa
                                                                            36994Vodacom-VBZAtrue
                                                                            24.204.47.87
                                                                            unknownUnited States
                                                                            12019NETCOMMUStrue
                                                                            98.239.119.52
                                                                            unknownUnited States
                                                                            7922COMCAST-7922UStrue
                                                                            177.239.160.121
                                                                            unknownMexico
                                                                            28554CablemasTelecomunicacionesSAdeCVMXtrue
                                                                            95.213.236.64
                                                                            unknownRussian Federation
                                                                            49505SELECTELRUtrue
                                                                            108.6.170.195
                                                                            unknownUnited States
                                                                            701UUNETUStrue
                                                                            139.130.242.43
                                                                            unknownAustralia
                                                                            1221ASN-TELSTRATelstraCorporationLtdAUtrue
                                                                            80.86.91.91
                                                                            unknownGermany
                                                                            8972GD-EMEA-DC-SXB1DEtrue
                                                                            211.63.71.72
                                                                            unknownKorea Republic of
                                                                            38661HCLC-AS-KRpurplestonesKRtrue
                                                                            74.108.124.180
                                                                            unknownUnited States
                                                                            701UUNETUStrue
                                                                            31.172.240.91
                                                                            unknownUnited Kingdom
                                                                            34920SIMPLY-ROMFORDGBtrue
                                                                            108.190.109.107
                                                                            unknownUnited States
                                                                            33363BHN-33363UStrue
                                                                            180.92.239.110
                                                                            unknownBangladesh
                                                                            9832ISN-AS-APISNInternetServiceProviderBDtrue
                                                                            179.13.185.19
                                                                            unknownColombia
                                                                            27831ColombiaMovilCOtrue
                                                                            101.187.197.33
                                                                            unknownAustralia
                                                                            1221ASN-TELSTRATelstraCorporationLtdAUtrue
                                                                            85.152.174.56
                                                                            unknownSpain
                                                                            12946TELECABLESpainEStrue
                                                                            174.83.116.77
                                                                            unknownUnited States
                                                                            20115CHARTER-20115UStrue
                                                                            98.156.206.153
                                                                            unknownUnited States
                                                                            11427TWC-11427-TEXASUStrue
                                                                            66.34.201.20
                                                                            unknownUnited States
                                                                            54489CORESPACE-DALUStrue
                                                                            223.197.185.60
                                                                            unknownHong Kong
                                                                            4760HKTIMS-APHKTLimitedHKtrue
                                                                            181.13.24.82
                                                                            unknownArgentina
                                                                            7303TelecomArgentinaSAARtrue
                                                                            149.202.153.252
                                                                            unknownFrance
                                                                            16276OVHFRtrue
                                                                            46.105.131.87
                                                                            unknownFrance
                                                                            16276OVHFRtrue
                                                                            104.236.28.47
                                                                            unknownUnited States
                                                                            14061DIGITALOCEAN-ASNUStrue
                                                                            47.155.214.239
                                                                            unknownUnited States
                                                                            5650FRONTIER-FRTRUStrue
                                                                            189.212.199.126
                                                                            unknownMexico
                                                                            6503AxtelSABdeCVMXtrue
                                                                            195.244.215.206
                                                                            unknownGibraltar
                                                                            8301GIBTELECOMNETGItrue
                                                                            206.81.10.215
                                                                            unknownUnited States
                                                                            14061DIGITALOCEAN-ASNUStrue
                                                                            85.105.205.77
                                                                            unknownTurkey
                                                                            9121TTNETTRtrue
                                                                            41.60.200.34
                                                                            unknownMauritius
                                                                            30844LIQUID-ASGBtrue
                                                                            76.86.17.1
                                                                            unknownUnited States
                                                                            20001TWC-20001-PACWESTUStrue
                                                                            5.32.55.214
                                                                            unknownUnited Arab Emirates
                                                                            15802DU-AS1AEtrue
                                                                            201.173.217.124
                                                                            unknownMexico
                                                                            11888TelevisionInternacionalSAdeCVMXtrue
                                                                            47.156.70.145
                                                                            unknownUnited States
                                                                            5650FRONTIER-FRTRUStrue
                                                                            47.148.241.179
                                                                            unknownUnited States
                                                                            5650FRONTIER-FRTRUStrue
                                                                            190.146.205.227
                                                                            unknownColombia
                                                                            10620TelmexColombiaSACOtrue
                                                                            160.16.215.66
                                                                            unknownJapan9370SAKURA-BSAKURAInternetIncJPtrue
                                                                            45.55.65.123
                                                                            unknownUnited States
                                                                            14061DIGITALOCEAN-ASNUStrue
                                                                            70.127.155.33
                                                                            unknownUnited States
                                                                            33363BHN-33363UStrue
                                                                            174.53.195.88
                                                                            unknownUnited States
                                                                            7922COMCAST-7922UStrue
                                                                            115.65.111.148
                                                                            unknownJapan9595XEPHIONNTT-MECorporationJPtrue
                                                                            209.97.168.52
                                                                            unknownUnited States
                                                                            14061DIGITALOCEAN-ASNUStrue
                                                                            47.26.155.17
                                                                            unknownUnited States
                                                                            20115CHARTER-20115UStrue
                                                                            5.196.74.210
                                                                            unknownFrance
                                                                            16276OVHFRtrue
                                                                            88.249.120.205
                                                                            unknownTurkey
                                                                            9121TTNETTRtrue
                                                                            181.143.126.170
                                                                            unknownColombia
                                                                            13489EPMTelecomunicacionesSAESPCOtrue
                                                                            74.208.45.104
                                                                            unknownUnited States
                                                                            8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                                            105.27.155.182
                                                                            unknownMauritius
                                                                            37100SEACOM-ASMUtrue
                                                                            162.241.92.219
                                                                            unknownUnited States
                                                                            46606UNIFIEDLAYER-AS-1UStrue
                                                                            190.12.119.180
                                                                            unknownArgentina
                                                                            11014CPSARtrue
                                                                            31.31.77.83
                                                                            unknownCzech Republic
                                                                            197019WEDOSCZtrue
                                                                            24.164.79.147
                                                                            unknownUnited States
                                                                            10796TWC-10796-MIDWESTUStrue
                                                                            200.21.90.5
                                                                            unknownColombia
                                                                            3816COLOMBIATELECOMUNICACIONESSAESPCOtrue
                                                                            222.144.13.169
                                                                            unknownJapan4713OCNNTTCommunicationsCorporationJPtrue
                                                                            181.126.70.117
                                                                            unknownParaguay
                                                                            23201TelecelSAPYtrue
                                                                            125.207.127.86
                                                                            unknownJapan4713OCNNTTCommunicationsCorporationJPtrue
                                                                            75.114.235.105
                                                                            unknownUnited States
                                                                            33363BHN-33363UStrue
                                                                            2.237.76.249
                                                                            unknownItaly
                                                                            12874FASTWEBITtrue
                                                                            209.137.209.84
                                                                            unknownUnited States
                                                                            21586SWKOUStrue
                                                                            178.153.176.124
                                                                            unknownQatar
                                                                            42298GCC-MPLS-PEERINGGCCMPLSpeeringQAtrue

                                                                            Private

                                                                            IP
                                                                            127.0.0.1

                                                                            General Information

                                                                            Joe Sandbox Version:32.0.0 Black Diamond
                                                                            Analysis ID:405433
                                                                            Start date:06.05.2021
                                                                            Start time:06:08:03
                                                                            Joe Sandbox Product:CloudBasic
                                                                            Overall analysis duration:0h 9m 35s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:light
                                                                            Sample file name:9cf2c56e_by_Libranalysis (renamed file extension from none to exe)
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                            Number of analysed new started processes analysed:28
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:0
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • HDC enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Detection:MAL
                                                                            Classification:mal100.troj.evad.winEXE@17/8@0/100
                                                                            EGA Information:Failed
                                                                            HDC Information:Failed
                                                                            HCA Information:
                                                                            • Successful, ratio: 92%
                                                                            • Number of executed functions: 0
                                                                            • Number of non-executed functions: 0
                                                                            Cookbook Comments:
                                                                            • Adjust boot time
                                                                            • Enable AMSI
                                                                            Warnings:
                                                                            Show All
                                                                            • Excluded IPs from analysis (whitelisted): 20.82.210.154, 204.79.197.200, 13.107.21.200, 104.42.151.234, 93.184.220.29, 92.122.145.220, 104.43.193.48, 23.218.208.56, 20.82.209.183, 13.107.4.50, 92.122.213.194, 92.122.213.247, 20.54.26.129
                                                                            • Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, Edge-Prod-FRA.env.au.au-msedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, elasticShed.au.au-msedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, afdap.au.au-msedge.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, au.au-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, au.c-0001.c-msedge.net, skypedataprdcolwus16.cloudapp.net
                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            TimeTypeDescription
                                                                            06:09:18API Interceptor2x Sleep call for process: svchost.exe modified
                                                                            06:10:34API Interceptor1x Sleep call for process: MpCmdRun.exe modified

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                            120.150.246.241m5wpHJDhIl.exeGet hashmaliciousBrowse
                                                                            • 120.150.246.241/K9czcmT3hzV
                                                                            59.103.164.174n5hhkdky_exe.exeGet hashmaliciousBrowse
                                                                            • 59.103.164.174/zeZ30sx6u6cxuuDrRRH
                                                                            71.222.233.1358930500066919696641336649.docGet hashmaliciousBrowse
                                                                            • 71.222.233.135:443/XCnXSEs6/O1gOah4tcPNdbv/zdMbVPP9og9sa/
                                                                            60.250.78.22JM5z7TPkX5.exeGet hashmaliciousBrowse
                                                                              188.0.135.237AUDIOKSE.exeGet hashmaliciousBrowse
                                                                                _000819.exeGet hashmaliciousBrowse
                                                                                  _000822.exeGet hashmaliciousBrowse
                                                                                    71.126.247.90http://mail.daw.lk/rainloop/docs/abzbl9903668066esolq17vvf/Get hashmaliciousBrowse
                                                                                    • 71.126.247.90/UOAEodt5UzLlCQ/0dW69/MxdzEiNUxNue/
                                                                                    VJW-020120 SKT-020720.docGet hashmaliciousBrowse
                                                                                    • 71.126.247.90/em0StrbgyF1rMGAyHE/irxhN9ps3YEgB9agV/xAhxY/END0L/FVgPFqYg/

                                                                                    Domains

                                                                                    No context

                                                                                    ASN

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                    VODAFONE-IT-ASNITppc_unpackedGet hashmaliciousBrowse
                                                                                    • 109.119.90.149
                                                                                    4JQil8gLKdGet hashmaliciousBrowse
                                                                                    • 109.114.214.154
                                                                                    v8iFmF7XPp.dllGet hashmaliciousBrowse
                                                                                    • 93.146.48.84
                                                                                    2ojdmC51As.exeGet hashmaliciousBrowse
                                                                                    • 188.219.31.12
                                                                                    IU-8549 Medical report COVID-19.docGet hashmaliciousBrowse
                                                                                    • 93.146.48.84
                                                                                    Io8ic2291n.docGet hashmaliciousBrowse
                                                                                    • 31.27.59.105
                                                                                    WUHU95Apq3Get hashmaliciousBrowse
                                                                                    • 2.43.4.130
                                                                                    fil1Get hashmaliciousBrowse
                                                                                    • 31.27.203.58
                                                                                    1808_2020.docGet hashmaliciousBrowse
                                                                                    • 93.149.120.214
                                                                                    file 0113165085 323975.docGet hashmaliciousBrowse
                                                                                    • 93.149.120.214
                                                                                    Inf 2020_12_30 FPJ6997.docGet hashmaliciousBrowse
                                                                                    • 93.149.120.214
                                                                                    09648_2020.docGet hashmaliciousBrowse
                                                                                    • 93.149.120.214
                                                                                    bijlagen 658.docGet hashmaliciousBrowse
                                                                                    • 93.149.120.214
                                                                                    File 2020 RVT_724564.docGet hashmaliciousBrowse
                                                                                    • 93.149.120.214
                                                                                    sample4.dllGet hashmaliciousBrowse
                                                                                    • 37.116.152.122
                                                                                    sample2.dllGet hashmaliciousBrowse
                                                                                    • 93.149.167.254
                                                                                    42H3JnmK5y.exeGet hashmaliciousBrowse
                                                                                    • 2.45.176.233
                                                                                    fiksat.exeGet hashmaliciousBrowse
                                                                                    • 37.116.152.122
                                                                                    7M5xbLL8eO.exeGet hashmaliciousBrowse
                                                                                    • 2.45.176.233
                                                                                    d21iCa31cs.exeGet hashmaliciousBrowse
                                                                                    • 2.45.176.233
                                                                                    ASN-TELSTRATelstraCorporationLtdAUKnAY2OIPI3Get hashmaliciousBrowse
                                                                                    • 1.151.13.11
                                                                                    x86_unpackedGet hashmaliciousBrowse
                                                                                    • 1.153.223.118
                                                                                    ppc_unpackedGet hashmaliciousBrowse
                                                                                    • 1.126.33.34
                                                                                    rIbyGX66OpGet hashmaliciousBrowse
                                                                                    • 203.49.228.158
                                                                                    MGuvcs6OczGet hashmaliciousBrowse
                                                                                    • 139.130.197.234
                                                                                    4JQil8gLKdGet hashmaliciousBrowse
                                                                                    • 124.177.182.198
                                                                                    z3hir.x86Get hashmaliciousBrowse
                                                                                    • 1.150.156.5
                                                                                    v8iFmF7XPp.dllGet hashmaliciousBrowse
                                                                                    • 110.145.101.66
                                                                                    2ojdmC51As.exeGet hashmaliciousBrowse
                                                                                    • 110.142.236.207
                                                                                    3kDM9S0iGA.exeGet hashmaliciousBrowse
                                                                                    • 124.182.146.41
                                                                                    networkmanagerGet hashmaliciousBrowse
                                                                                    • 203.46.154.161
                                                                                    IU-8549 Medical report COVID-19.docGet hashmaliciousBrowse
                                                                                    • 110.142.236.207
                                                                                    kF1JPCXvSq.dllGet hashmaliciousBrowse
                                                                                    • 144.139.47.206
                                                                                    oHqMFmPndx.exeGet hashmaliciousBrowse
                                                                                    • 101.184.48.99
                                                                                    utox.exeGet hashmaliciousBrowse
                                                                                    • 1.132.105.157
                                                                                    SecuriteInfo.com.Trojan.BtcMine.3311.17146.exeGet hashmaliciousBrowse
                                                                                    • 101.187.176.67
                                                                                    e5ad48f310b56ceb013a30be125d967e.exeGet hashmaliciousBrowse
                                                                                    • 139.130.242.43
                                                                                    fIk5kbvEeK.exeGet hashmaliciousBrowse
                                                                                    • 139.130.242.43
                                                                                    xESLg6TBHK.exeGet hashmaliciousBrowse
                                                                                    • 139.130.242.43
                                                                                    fNaqLAFUM2.exeGet hashmaliciousBrowse
                                                                                    • 139.130.242.43

                                                                                    JA3 Fingerprints

                                                                                    No context

                                                                                    Dropped Files

                                                                                    No context

                                                                                    Created / dropped Files

                                                                                    C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):4096
                                                                                    Entropy (8bit):0.5952146479015531
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:0FV0k1GaD0JOCEfMuaaD0JOCEfMKQmDsS/tAl/gz2cE0fMbhEZolrRSQ2hyYIIT:0f7GaD0JcaaD0JwQQsitAg/0bjSQJ
                                                                                    MD5:0F6FD21B4533C3048B9246C0733FA845
                                                                                    SHA1:BF13D8B9CBDC0273712893539DFEF1F36DCB50E4
                                                                                    SHA-256:64C532DC365D08E405CFF78F5D877EE2A9FD94BC1B28EBF1C231CA6BA9EE0BF5
                                                                                    SHA-512:CE3D42A93C38E2335F2AE0B7EFC6B165766283BD2CD4BA74C8F87C6EE3BCDD6365D9E343BC59D68C57C369A32DD16D8E5D1C4AD3A3E279152B9CD89808389CDC
                                                                                    Malicious:false
                                                                                    Preview: ......:{..(..........yC.............. ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@........................yC...........&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................
                                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x105ec6eb, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                    Category:dropped
                                                                                    Size (bytes):32768
                                                                                    Entropy (8bit):0.09638746104869653
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:T0+TelXO4blM6lYsKd0+TelXO4blM6lYsK:oQ6/Q6
                                                                                    MD5:939CA7367FE39301A850A839C0966BB4
                                                                                    SHA1:0450CA27131159C79B60FB1C3F69C42BCABBBCBD
                                                                                    SHA-256:7FC816C68E1934CF7DAE2AC4D23DFF39F4A195DA12886E6C5E5D534B339C7548
                                                                                    SHA-512:2A1299132CA75E84E21154F5ED90D57DD90653ACF97C10D7532BC0BEF2AE9ADFBF655DDB1D602112BBBC3A1982B3CA3045A491FDC72D4E57B4489BD3CB473819
                                                                                    Malicious:false
                                                                                    Preview: .^..... ................e.f.3...w........................&..........w.......yC.h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w........................................................................................................................................................................................................................................=i.....yCo.................r.>.....yC.........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):8192
                                                                                    Entropy (8bit):0.11153392933833282
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:ugmll9Ev3S7DAl/bJdAtiYwll:ujlykDAt4tQ
                                                                                    MD5:DA520874C490C0C2EFB70948BFF976BA
                                                                                    SHA1:03D2E41E1F263A944C54678DA0CEFAFF6824A11A
                                                                                    SHA-256:2CC14C26D7770616EB6DD51CE3B1E841DBF9F00BB5F2EE72D6426E2B66B6C4B5
                                                                                    SHA-512:F73C423A5056DD851211E8A04191FBCD1B410413A8E194D438F08B3E64C26B0CD5A3C7BE50332A42C574A9003A5C5AB7EEA7114EDCC6274E8B116AEA64FADF3F
                                                                                    Malicious:false
                                                                                    Preview: .*.......................................3...w.......yC......w...............w.......w....:O.....w...................r.>.....yC.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                    C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl
                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):65536
                                                                                    Entropy (8bit):0.10997851866389849
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:26qXm/Ey6q9995QLNOy3q3qQ10nMCldimE8eawHjch:26fl68VDLyMCldzE9BHjch
                                                                                    MD5:F14DF28934C7F9E1E0EBCC368C9B19D7
                                                                                    SHA1:71B9BF1B8537B5346CCC9936849D1D929982C348
                                                                                    SHA-256:54EF695C66F237A20429E67DFF77CC6D241BA00E0AD8138BBC431C9398DC10BC
                                                                                    SHA-512:F34A50359F0EFE1EEA5F2D228D9F44559A2BEE445F5A388F29A1D917DE483C40B9A6D7FDCF7657268DB57DD2BCCE3050B556A43F5DF94EC8CB222BF03BF109B7
                                                                                    Malicious:false
                                                                                    Preview: ....................................................................................\...8........................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................}.h.-..... .......{.yB..........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.....\...........................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                    C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl
                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):65536
                                                                                    Entropy (8bit):0.11256005945646773
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:OYXm/Ey6q9995QLNw1miM3qQ10nMCldimE8eawHza1miI0:Ul68Z1tMLyMCldzE9BHza1tI0
                                                                                    MD5:F51ED03CC89897E1FCE7EE4809947FD4
                                                                                    SHA1:1BF8A0C56AFB8D988647C465564E41C39BD9F900
                                                                                    SHA-256:CB5C6FF4F886E095565BBED2560A5A3DDB45AB3FF42CCC38661D2691601B8C1D
                                                                                    SHA-512:CA9FC7E2A70FEE62184B1A30D73E7E4814F43265FC074F341C8FAF4BAE0A2E501C074E42B19D4D2A39E0B64F5F0565BFDDD4FBA3F84621620FC9022C60F0551B
                                                                                    Malicious:false
                                                                                    Preview: ....................................................................................\.../........................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................}.h.-..... ......Wt.yB..........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.....\...........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                    C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl
                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):65536
                                                                                    Entropy (8bit):0.11245941337902163
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:D/STXm/Ey6q9995QLN3w1mK2P3qQ10nMCldimE8eawHza1mKY/:GKl68iw1iPLyMCldzE9BHza10/
                                                                                    MD5:8BF54ABB25B5325FEC1DA8253831ECFD
                                                                                    SHA1:F0B58E7FDCD9FFC5335C1C87F45473CDE261B075
                                                                                    SHA-256:9AEB5C55AA52AF5372F41E1FC9A2787E368A76208E7F54C8F26C3C88B34F6B32
                                                                                    SHA-512:472326E8D30462FF0036C18530CBEF163D70F5A859B49AB040D2869673323F52892F7C9A87A180488C5CB7460C5B88B3DFCAE8837C0CADB99DECA797793E45B2
                                                                                    Malicious:false
                                                                                    Preview: ....................................................................................\...<L.......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................}.h.-..... ......1m.yB..........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.....\....W......................................................................................................................................................................................................................................................................................................................................................................................
                                                                                    C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):55
                                                                                    Entropy (8bit):4.306461250274409
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                    MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                    SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                    SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                    SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                    Malicious:false
                                                                                    Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                                                                    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
                                                                                    Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                    File Type:data
                                                                                    Category:modified
                                                                                    Size (bytes):906
                                                                                    Entropy (8bit):3.1519327164727655
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:58KRBubdpkoF1AG3rXZk9+MlWlLehB4yAq7ejCSo:OaqdmuF3rO+kWReH4yJ7MQ
                                                                                    MD5:5F9AEF3B9D25DA8899C12A0893E2B7F1
                                                                                    SHA1:629336E7BC2F276EE0222FDA815D95682AB95659
                                                                                    SHA-256:7271985673CAD32281A84FAC07FE23B8CEBCBFF0D27C23230AAEBC58A396ED4B
                                                                                    SHA-512:0BF5BA04B81B802DB2714804E0467E5151461EC9DA8649D35EE8E065B8A4134D99B2BA1017FF12FAAD166DA71951BF8B282001D15BD4A05572682BD24CEDEEBD
                                                                                    Malicious:false
                                                                                    Preview: ........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. M.a.y. .. 0.6. .. 2.0.2.1. .0.6.:.1.0.:.3.4.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. M.a.y. .. 0.6. .. 2.0.2.1. .0.6.:.1.0.:.3.4.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                    Entropy (8bit):7.702887312906918
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) a (10002005/4) 99.39%
                                                                                    • UPX compressed Win32 Executable (30571/9) 0.30%
                                                                                    • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                    File name:9cf2c56e_by_Libranalysis.exe
                                                                                    File size:429632
                                                                                    MD5:9cf2c56ef2d9ed4c679013369c6bf4c0
                                                                                    SHA1:77a2d90daf8ccff12ba036924d49c0d57cfbc89b
                                                                                    SHA256:ea1025ebfb2cbc8b7ee79006a44c6c036329701015d45f6f3777e58915b83726
                                                                                    SHA512:824fa156c422176b7f41aeae17fe10ea40bd0cb4337a3093b76b7416add2412d6de606d12b0f50a9de0b68e92456728b4b6e1829f2c2324a667282c73a0e6598
                                                                                    SSDEEP:12288:wd3HiRnI38fT5bqzqNTrrU2mItW++9AnUZ6:wu88bEO9rU2LtPP
                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D...%...%...%...*...%...*...%...%...'.......%......Z%......b%.......%.......%..Rich.%..........................PE..L...;.=^...

                                                                                    File Icon

                                                                                    Icon Hash:71b018ccc6577131

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x4ce8a0
                                                                                    Entrypoint Section:UPX1
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                                                                                    DLL Characteristics:
                                                                                    Time Stamp:0x5E3DBF3B [Fri Feb 7 19:49:15 2020 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:
                                                                                    OS Version Major:4
                                                                                    OS Version Minor:0
                                                                                    File Version Major:4
                                                                                    File Version Minor:0
                                                                                    Subsystem Version Major:4
                                                                                    Subsystem Version Minor:0
                                                                                    Import Hash:e7a9b88f332bb9f5267fa2cb2fef50f5

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    pushad
                                                                                    mov esi, 00475000h
                                                                                    lea edi, dword ptr [esi-00074000h]
                                                                                    push edi
                                                                                    or ebp, FFFFFFFFh
                                                                                    jmp 00007FD1F4D5DB92h
                                                                                    nop
                                                                                    nop
                                                                                    nop
                                                                                    nop
                                                                                    nop
                                                                                    nop
                                                                                    mov al, byte ptr [esi]
                                                                                    inc esi
                                                                                    mov byte ptr [edi], al
                                                                                    inc edi
                                                                                    add ebx, ebx
                                                                                    jne 00007FD1F4D5DB89h
                                                                                    mov ebx, dword ptr [esi]
                                                                                    sub esi, FFFFFFFCh
                                                                                    adc ebx, ebx
                                                                                    jc 00007FD1F4D5DB6Fh
                                                                                    mov eax, 00000001h
                                                                                    add ebx, ebx
                                                                                    jne 00007FD1F4D5DB89h
                                                                                    mov ebx, dword ptr [esi]
                                                                                    sub esi, FFFFFFFCh
                                                                                    adc ebx, ebx
                                                                                    adc eax, eax
                                                                                    add ebx, ebx
                                                                                    jnc 00007FD1F4D5DB71h
                                                                                    jne 00007FD1F4D5DB8Bh
                                                                                    mov ebx, dword ptr [esi]
                                                                                    sub esi, FFFFFFFCh
                                                                                    adc ebx, ebx
                                                                                    jnc 00007FD1F4D5DB66h
                                                                                    xor ecx, ecx
                                                                                    sub eax, 03h
                                                                                    jc 00007FD1F4D5DB8Fh
                                                                                    shl eax, 08h
                                                                                    mov al, byte ptr [esi]
                                                                                    inc esi
                                                                                    xor eax, FFFFFFFFh
                                                                                    je 00007FD1F4D5DBF6h
                                                                                    mov ebp, eax
                                                                                    add ebx, ebx
                                                                                    jne 00007FD1F4D5DB89h
                                                                                    mov ebx, dword ptr [esi]
                                                                                    sub esi, FFFFFFFCh
                                                                                    adc ebx, ebx
                                                                                    adc ecx, ecx
                                                                                    add ebx, ebx
                                                                                    jne 00007FD1F4D5DB89h
                                                                                    mov ebx, dword ptr [esi]
                                                                                    sub esi, FFFFFFFCh
                                                                                    adc ebx, ebx
                                                                                    adc ecx, ecx
                                                                                    jne 00007FD1F4D5DBA2h
                                                                                    inc ecx
                                                                                    add ebx, ebx
                                                                                    jne 00007FD1F4D5DB89h
                                                                                    mov ebx, dword ptr [esi]
                                                                                    sub esi, FFFFFFFCh
                                                                                    adc ebx, ebx
                                                                                    adc ecx, ecx
                                                                                    add ebx, ebx
                                                                                    jnc 00007FD1F4D5DB71h
                                                                                    jne 00007FD1F4D5DB8Bh
                                                                                    mov ebx, dword ptr [esi]
                                                                                    sub esi, FFFFFFFCh
                                                                                    adc ebx, ebx
                                                                                    jnc 00007FD1F4D5DB66h
                                                                                    add ecx, 02h
                                                                                    cmp ebp, FFFFF300h
                                                                                    adc ecx, 01h
                                                                                    lea edx, dword ptr [edi+ebp]
                                                                                    cmp ebp, FFFFFFFCh
                                                                                    jbe 00007FD1F4D5DB91h
                                                                                    mov al, byte ptr [edx]
                                                                                    inc edx
                                                                                    mov byte ptr [edi], al
                                                                                    inc edi
                                                                                    dec ecx
                                                                                    jne 00007FD1F4D5DB79h
                                                                                    jmp 00007FD1F4D5DAE8h
                                                                                    nop
                                                                                    mov eax, dword ptr [edx]
                                                                                    add edx, 04h
                                                                                    mov dword ptr [edi], eax
                                                                                    add edi, 04h
                                                                                    sub ecx, 00000000h

                                                                                    Rich Headers

                                                                                    Programming Language:
                                                                                    • [RES] VS2005 build 50727
                                                                                    • [ C ] VS2005 build 50727
                                                                                    • [LNK] VS2005 build 50727
                                                                                    • [C++] VS2005 build 50727
                                                                                    • [ASM] VS2005 build 50727

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xdd9a40x294.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xcf0000xe9a4.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xddc380xc.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xcea3c0x48UPX1
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb04dc0x40UPX1
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    UPX00x10000x740000x0False0empty0.0IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    UPX10x750000x5a0000x59c00False0.962308495822data7.73574464577IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                    .rsrc0xcf0000xf0000xee00False0.77276457458data7.13622388256IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountry
                                                                                    BRESSMON0xcfb680x9f44dataGermanGermany
                                                                                    RT_CURSOR0xd9ab00x134dataGermanGermany
                                                                                    RT_CURSOR0xd9be80xb4dataGermanGermany
                                                                                    RT_CURSOR0xd9ca00x134AmigaOS bitmap fontGermanGermany
                                                                                    RT_CURSOR0xd9dd80x134dataGermanGermany
                                                                                    RT_CURSOR0xd9f100x134dataGermanGermany
                                                                                    RT_CURSOR0xda0480x134dataGermanGermany
                                                                                    RT_CURSOR0xda1800x134dataGermanGermany
                                                                                    RT_CURSOR0xda2b80x134dataGermanGermany
                                                                                    RT_CURSOR0xda3f00x134dataGermanGermany
                                                                                    RT_CURSOR0xda5280x134dataGermanGermany
                                                                                    RT_CURSOR0xda6600x134dataGermanGermany
                                                                                    RT_CURSOR0xda7980x134dataGermanGermany
                                                                                    RT_CURSOR0xda8d00x134AmigaOS bitmap fontGermanGermany
                                                                                    RT_CURSOR0xdaa080x134dataGermanGermany
                                                                                    RT_CURSOR0xdab400x134dataGermanGermany
                                                                                    RT_CURSOR0xdac780x134dataGermanGermany
                                                                                    RT_BITMAP0xdadb00xb8dataGermanGermany
                                                                                    RT_BITMAP0xdae6c0x144dataGermanGermany
                                                                                    RT_ICON0xdafb40x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676GermanGermany
                                                                                    RT_ICON0xdb2a00x128GLS_BINARY_LSB_FIRSTGermanGermany
                                                                                    RT_DIALOG0xdb3cc0xbadataGermanGermany
                                                                                    RT_DIALOG0xdb48c0xeedataGermanGermany
                                                                                    RT_DIALOG0xdb5800x34dataGermanGermany
                                                                                    RT_STRING0xdb5b80xaadataGermanGermany
                                                                                    RT_STRING0xdb6680x36dataGermanGermany
                                                                                    RT_STRING0xdb6a40x21cdataGermanGermany
                                                                                    RT_STRING0xdb8c40x668dataGermanGermany
                                                                                    RT_STRING0xdbf300x3a6dataGermanGermany
                                                                                    RT_STRING0xdc2dc0x3d6dataGermanGermany
                                                                                    RT_STRING0xdc6b80x9cdataGermanGermany
                                                                                    RT_STRING0xdc7580x110dataGermanGermany
                                                                                    RT_STRING0xdc86c0x12adataGermanGermany
                                                                                    RT_STRING0xdc99c0x65adataGermanGermany
                                                                                    RT_STRING0xdcffc0x2f2dataGermanGermany
                                                                                    RT_STRING0xdd2f40x2aHitachi SH big-endian COFF object file, not stripped, 20480 sections, symbol offset=0x65006c00GermanGermany
                                                                                    RT_STRING0xdd3240x5cdataGermanGermany
                                                                                    RT_GROUP_CURSOR0xdd3840x22Lotus unknown worksheet or configuration, revision 0x2GermanGermany
                                                                                    RT_GROUP_CURSOR0xdd3ac0x14Lotus unknown worksheet or configuration, revision 0x1GermanGermany
                                                                                    RT_GROUP_CURSOR0xdd3c40x14Lotus unknown worksheet or configuration, revision 0x1GermanGermany
                                                                                    RT_GROUP_CURSOR0xdd3dc0x14Lotus unknown worksheet or configuration, revision 0x1GermanGermany
                                                                                    RT_GROUP_CURSOR0xdd3f40x14Lotus unknown worksheet or configuration, revision 0x1GermanGermany
                                                                                    RT_GROUP_CURSOR0xdd40c0x14Lotus unknown worksheet or configuration, revision 0x1GermanGermany
                                                                                    RT_GROUP_CURSOR0xdd4240x14Lotus unknown worksheet or configuration, revision 0x1GermanGermany
                                                                                    RT_GROUP_CURSOR0xdd43c0x14Lotus unknown worksheet or configuration, revision 0x1GermanGermany
                                                                                    RT_GROUP_CURSOR0xdd4540x14Lotus unknown worksheet or configuration, revision 0x1GermanGermany
                                                                                    RT_GROUP_CURSOR0xdd46c0x14Lotus unknown worksheet or configuration, revision 0x1GermanGermany
                                                                                    RT_GROUP_CURSOR0xdd4840x14Lotus unknown worksheet or configuration, revision 0x1GermanGermany
                                                                                    RT_GROUP_CURSOR0xdd49c0x14Lotus unknown worksheet or configuration, revision 0x1GermanGermany
                                                                                    RT_GROUP_CURSOR0xdd4b40x14Lotus unknown worksheet or configuration, revision 0x1GermanGermany
                                                                                    RT_GROUP_CURSOR0xdd4cc0x14Lotus unknown worksheet or configuration, revision 0x1GermanGermany
                                                                                    RT_GROUP_CURSOR0xdd4e40x14Lotus unknown worksheet or configuration, revision 0x1GermanGermany
                                                                                    RT_GROUP_ICON0xdd4fc0x22dataGermanGermany
                                                                                    RT_VERSION0xdd5240x424dataGermanGermany
                                                                                    RT_MANIFEST0xdd94c0x56ASCII text, with CRLF line terminatorsEnglishUnited States

                                                                                    Imports

                                                                                    DLLImport
                                                                                    KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                                                                                    ADVAPI32.dllRegEnumKeyA
                                                                                    comdlg32.dllGetFileTitleA
                                                                                    GDI32.dllArcTo
                                                                                    ole32.dllOleRun
                                                                                    OLEAUT32.dllSysFreeString
                                                                                    oledlg.dll
                                                                                    SHELL32.dllDragFinish
                                                                                    SHLWAPI.dllPathIsUNCA
                                                                                    USER32.dllGetDC
                                                                                    WINSPOOL.DRVOpenPrinterA

                                                                                    Version Infos

                                                                                    DescriptionData
                                                                                    LegalCopyrighthe Senate Republican investigation into the Bidens
                                                                                    InternalNamehe administration told House Democrats
                                                                                    FileVersion8, 8, 33, 13
                                                                                    CompanyName
                                                                                    LegalTrademarks
                                                                                    ProductNameeasury has provided to the Senate committees
                                                                                    ProductVersion8, 8, 33, 13
                                                                                    FileDescriptionWyden's office is not saying what documents were turned
                                                                                    OriginalFilenameIt's unfortunate that Democrats whom
                                                                                    Translation0x0407 0x04b0

                                                                                    Possible Origin

                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                    GermanGermany
                                                                                    EnglishUnited States

                                                                                    Network Behavior

                                                                                    Snort IDS Alerts

                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                    05/06/21-06:10:04.894919ICMP486ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited211.63.71.72192.168.2.3
                                                                                    05/06/21-06:10:07.900739ICMP486ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited211.63.71.72192.168.2.3
                                                                                    05/06/21-06:10:13.918993ICMP486ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited211.63.71.72192.168.2.3

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    May 6, 2021 06:09:10.313368082 CEST4972080192.168.2.347.148.241.179
                                                                                    May 6, 2021 06:09:13.319434881 CEST4972080192.168.2.347.148.241.179
                                                                                    May 6, 2021 06:09:19.320025921 CEST4972080192.168.2.347.148.241.179
                                                                                    May 6, 2021 06:09:32.799273968 CEST4972680192.168.2.324.204.47.87
                                                                                    May 6, 2021 06:09:35.883891106 CEST4972680192.168.2.324.204.47.87
                                                                                    May 6, 2021 06:09:41.885298967 CEST4972680192.168.2.324.204.47.87
                                                                                    May 6, 2021 06:09:55.998558044 CEST497298080192.168.2.380.86.91.91
                                                                                    May 6, 2021 06:09:56.042613983 CEST80804972980.86.91.91192.168.2.3
                                                                                    May 6, 2021 06:09:56.557445049 CEST497298080192.168.2.380.86.91.91
                                                                                    May 6, 2021 06:09:56.601542950 CEST80804972980.86.91.91192.168.2.3
                                                                                    May 6, 2021 06:09:57.104403973 CEST497298080192.168.2.380.86.91.91
                                                                                    May 6, 2021 06:09:57.150954962 CEST80804972980.86.91.91192.168.2.3
                                                                                    May 6, 2021 06:09:59.244982004 CEST497318080192.168.2.3104.236.28.47
                                                                                    May 6, 2021 06:09:59.371568918 CEST808049731104.236.28.47192.168.2.3
                                                                                    May 6, 2021 06:09:59.885878086 CEST497318080192.168.2.3104.236.28.47
                                                                                    May 6, 2021 06:10:00.010428905 CEST808049731104.236.28.47192.168.2.3
                                                                                    May 6, 2021 06:10:00.511013031 CEST497318080192.168.2.3104.236.28.47
                                                                                    May 6, 2021 06:10:00.635886908 CEST808049731104.236.28.47192.168.2.3
                                                                                    May 6, 2021 06:10:02.239794016 CEST497328080192.168.2.387.106.136.232
                                                                                    May 6, 2021 06:10:02.283035040 CEST80804973287.106.136.232192.168.2.3
                                                                                    May 6, 2021 06:10:02.792334080 CEST497328080192.168.2.387.106.136.232
                                                                                    May 6, 2021 06:10:02.835707903 CEST80804973287.106.136.232192.168.2.3
                                                                                    May 6, 2021 06:10:03.339267969 CEST497328080192.168.2.387.106.136.232
                                                                                    May 6, 2021 06:10:03.382550001 CEST80804973287.106.136.232192.168.2.3
                                                                                    May 6, 2021 06:10:04.630796909 CEST497338080192.168.2.3211.63.71.72
                                                                                    May 6, 2021 06:10:07.636548996 CEST497338080192.168.2.3211.63.71.72
                                                                                    May 6, 2021 06:10:13.652617931 CEST497338080192.168.2.3211.63.71.72
                                                                                    May 6, 2021 06:10:27.223115921 CEST497427080192.168.2.3113.52.123.226
                                                                                    May 6, 2021 06:10:30.216577053 CEST497427080192.168.2.3113.52.123.226
                                                                                    May 6, 2021 06:10:36.232716084 CEST497427080192.168.2.3113.52.123.226
                                                                                    May 6, 2021 06:10:50.446994066 CEST49745443192.168.2.378.101.70.199
                                                                                    May 6, 2021 06:10:53.452801943 CEST49745443192.168.2.378.101.70.199
                                                                                    May 6, 2021 06:10:59.469136000 CEST49745443192.168.2.378.101.70.199

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    May 6, 2021 06:08:43.648482084 CEST4919953192.168.2.38.8.8.8
                                                                                    May 6, 2021 06:08:43.661489964 CEST5062053192.168.2.38.8.8.8
                                                                                    May 6, 2021 06:08:43.677668095 CEST53512818.8.8.8192.168.2.3
                                                                                    May 6, 2021 06:08:43.709163904 CEST53491998.8.8.8192.168.2.3
                                                                                    May 6, 2021 06:08:43.721419096 CEST53506208.8.8.8192.168.2.3
                                                                                    May 6, 2021 06:08:43.845272064 CEST6493853192.168.2.38.8.8.8
                                                                                    May 6, 2021 06:08:43.904246092 CEST53649388.8.8.8192.168.2.3
                                                                                    May 6, 2021 06:08:45.895320892 CEST6015253192.168.2.38.8.8.8
                                                                                    May 6, 2021 06:08:45.954001904 CEST53601528.8.8.8192.168.2.3
                                                                                    May 6, 2021 06:08:46.713224888 CEST5754453192.168.2.38.8.8.8
                                                                                    May 6, 2021 06:08:46.775345087 CEST53575448.8.8.8192.168.2.3
                                                                                    May 6, 2021 06:08:47.742640018 CEST5598453192.168.2.38.8.8.8
                                                                                    May 6, 2021 06:08:47.795698881 CEST53559848.8.8.8192.168.2.3
                                                                                    May 6, 2021 06:08:49.039964914 CEST6418553192.168.2.38.8.8.8
                                                                                    May 6, 2021 06:08:49.090310097 CEST53641858.8.8.8192.168.2.3
                                                                                    May 6, 2021 06:08:51.417107105 CEST6511053192.168.2.38.8.8.8
                                                                                    May 6, 2021 06:08:51.466041088 CEST53651108.8.8.8192.168.2.3
                                                                                    May 6, 2021 06:08:52.808597088 CEST5836153192.168.2.38.8.8.8
                                                                                    May 6, 2021 06:08:52.860326052 CEST53583618.8.8.8192.168.2.3
                                                                                    May 6, 2021 06:08:54.190702915 CEST6349253192.168.2.38.8.8.8
                                                                                    May 6, 2021 06:08:54.239727974 CEST53634928.8.8.8192.168.2.3
                                                                                    May 6, 2021 06:08:55.342299938 CEST6083153192.168.2.38.8.8.8
                                                                                    May 6, 2021 06:08:55.395782948 CEST53608318.8.8.8192.168.2.3
                                                                                    May 6, 2021 06:08:56.257246971 CEST6010053192.168.2.38.8.8.8
                                                                                    May 6, 2021 06:08:56.317956924 CEST53601008.8.8.8192.168.2.3
                                                                                    May 6, 2021 06:08:57.564135075 CEST5319553192.168.2.38.8.8.8
                                                                                    May 6, 2021 06:08:57.626063108 CEST53531958.8.8.8192.168.2.3
                                                                                    May 6, 2021 06:08:59.458223104 CEST5014153192.168.2.38.8.8.8
                                                                                    May 6, 2021 06:08:59.506890059 CEST53501418.8.8.8192.168.2.3
                                                                                    May 6, 2021 06:09:00.587193966 CEST5302353192.168.2.38.8.8.8
                                                                                    May 6, 2021 06:09:00.640106916 CEST53530238.8.8.8192.168.2.3
                                                                                    May 6, 2021 06:09:01.794179916 CEST4956353192.168.2.38.8.8.8
                                                                                    May 6, 2021 06:09:01.844228029 CEST53495638.8.8.8192.168.2.3
                                                                                    May 6, 2021 06:09:02.796205044 CEST5135253192.168.2.38.8.8.8
                                                                                    May 6, 2021 06:09:02.844795942 CEST53513528.8.8.8192.168.2.3
                                                                                    May 6, 2021 06:09:03.696526051 CEST5934953192.168.2.38.8.8.8
                                                                                    May 6, 2021 06:09:03.747992992 CEST53593498.8.8.8192.168.2.3
                                                                                    May 6, 2021 06:09:04.592780113 CEST5708453192.168.2.38.8.8.8
                                                                                    May 6, 2021 06:09:04.644337893 CEST53570848.8.8.8192.168.2.3
                                                                                    May 6, 2021 06:09:05.526129961 CEST5882353192.168.2.38.8.8.8
                                                                                    May 6, 2021 06:09:05.577703953 CEST53588238.8.8.8192.168.2.3
                                                                                    May 6, 2021 06:09:06.735541105 CEST5756853192.168.2.38.8.8.8
                                                                                    May 6, 2021 06:09:06.784509897 CEST53575688.8.8.8192.168.2.3
                                                                                    May 6, 2021 06:09:21.605896950 CEST5054053192.168.2.38.8.8.8
                                                                                    May 6, 2021 06:09:21.664710045 CEST53505408.8.8.8192.168.2.3
                                                                                    May 6, 2021 06:09:23.747514963 CEST5436653192.168.2.38.8.8.8
                                                                                    May 6, 2021 06:09:23.826237917 CEST53543668.8.8.8192.168.2.3
                                                                                    May 6, 2021 06:09:40.153147936 CEST5303453192.168.2.38.8.8.8
                                                                                    May 6, 2021 06:09:40.203900099 CEST53530348.8.8.8192.168.2.3
                                                                                    May 6, 2021 06:09:49.365027905 CEST5776253192.168.2.38.8.8.8
                                                                                    May 6, 2021 06:09:49.423904896 CEST53577628.8.8.8192.168.2.3
                                                                                    May 6, 2021 06:09:57.568806887 CEST5543553192.168.2.38.8.8.8
                                                                                    May 6, 2021 06:09:57.642674923 CEST53554358.8.8.8192.168.2.3
                                                                                    May 6, 2021 06:10:07.521384954 CEST5071353192.168.2.38.8.8.8
                                                                                    May 6, 2021 06:10:07.578579903 CEST53507138.8.8.8192.168.2.3
                                                                                    May 6, 2021 06:10:12.188858032 CEST5613253192.168.2.38.8.8.8
                                                                                    May 6, 2021 06:10:12.253554106 CEST53561328.8.8.8192.168.2.3
                                                                                    May 6, 2021 06:10:42.984541893 CEST5898753192.168.2.38.8.8.8
                                                                                    May 6, 2021 06:10:43.054387093 CEST53589878.8.8.8192.168.2.3
                                                                                    May 6, 2021 06:10:44.906478882 CEST5657953192.168.2.38.8.8.8
                                                                                    May 6, 2021 06:10:44.978080988 CEST53565798.8.8.8192.168.2.3

                                                                                    ICMP Packets

                                                                                    TimestampSource IPDest IPChecksumCodeType
                                                                                    May 6, 2021 06:10:04.894918919 CEST211.63.71.72192.168.2.3da4f(Unknown)Destination Unreachable
                                                                                    May 6, 2021 06:10:07.900738955 CEST211.63.71.72192.168.2.3da4f(Unknown)Destination Unreachable
                                                                                    May 6, 2021 06:10:13.918992996 CEST211.63.71.72192.168.2.3da4f(Unknown)Destination Unreachable

                                                                                    Code Manipulations

                                                                                    Statistics

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Start time:06:08:52
                                                                                    Start date:06/05/2021
                                                                                    Path:C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:'C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe'
                                                                                    Imagebase:0x400000
                                                                                    File size:429632 bytes
                                                                                    MD5 hash:9CF2C56EF2D9ED4C679013369C6BF4C0
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.217998392.00000000022E1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: Win32_Trojan_Emotet, Description: unknown, Source: 00000000.00000002.217998392.00000000022E1000.00000020.00000001.sdmp, Author: ReversingLabs
                                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.217986642.00000000022D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: Win32_Trojan_Emotet, Description: unknown, Source: 00000000.00000002.217986642.00000000022D0000.00000040.00000001.sdmp, Author: ReversingLabs
                                                                                    Reputation:low

                                                                                    General

                                                                                    Start time:06:08:59
                                                                                    Start date:06/05/2021
                                                                                    Path:C:\Windows\SysWOW64\aeevts\aeevts.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\SysWOW64\aeevts\aeevts.exe
                                                                                    Imagebase:0x400000
                                                                                    File size:429632 bytes
                                                                                    MD5 hash:9CF2C56EF2D9ED4C679013369C6BF4C0
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.471904242.0000000000AE1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: Win32_Trojan_Emotet, Description: unknown, Source: 00000004.00000002.471904242.0000000000AE1000.00000020.00000001.sdmp, Author: ReversingLabs
                                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.471824961.0000000000AD0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: Win32_Trojan_Emotet, Description: unknown, Source: 00000004.00000002.471824961.0000000000AD0000.00000040.00000001.sdmp, Author: ReversingLabs
                                                                                    Reputation:low

                                                                                    General

                                                                                    Start time:06:09:03
                                                                                    Start date:06/05/2021
                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                    Imagebase:0x7ff7488e0000
                                                                                    File size:51288 bytes
                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high

                                                                                    General

                                                                                    Start time:06:09:18
                                                                                    Start date:06/05/2021
                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                    Imagebase:0x7ff7488e0000
                                                                                    File size:51288 bytes
                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high

                                                                                    General

                                                                                    Start time:06:09:29
                                                                                    Start date:06/05/2021
                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                    Imagebase:0x7ff7488e0000
                                                                                    File size:51288 bytes
                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high

                                                                                    General

                                                                                    Start time:06:09:29
                                                                                    Start date:06/05/2021
                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                    Imagebase:0x7ff7488e0000
                                                                                    File size:51288 bytes
                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high

                                                                                    General

                                                                                    Start time:06:09:30
                                                                                    Start date:06/05/2021
                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                    Imagebase:0x7ff7488e0000
                                                                                    File size:51288 bytes
                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high

                                                                                    General

                                                                                    Start time:06:09:30
                                                                                    Start date:06/05/2021
                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:c:\windows\system32\svchost.exe -k unistacksvcgroup
                                                                                    Imagebase:0x7ff7488e0000
                                                                                    File size:51288 bytes
                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high

                                                                                    General

                                                                                    Start time:06:09:31
                                                                                    Start date:06/05/2021
                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                    Imagebase:0x7ff7488e0000
                                                                                    File size:51288 bytes
                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high

                                                                                    General

                                                                                    Start time:06:09:31
                                                                                    Start date:06/05/2021
                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                    Imagebase:0x7ff7488e0000
                                                                                    File size:51288 bytes
                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high

                                                                                    General

                                                                                    Start time:06:09:32
                                                                                    Start date:06/05/2021
                                                                                    Path:C:\Windows\System32\SgrmBroker.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                    Imagebase:0x7ff6edd60000
                                                                                    File size:163336 bytes
                                                                                    MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high

                                                                                    General

                                                                                    Start time:06:09:32
                                                                                    Start date:06/05/2021
                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                    Imagebase:0x7ff7488e0000
                                                                                    File size:51288 bytes
                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high

                                                                                    General

                                                                                    Start time:06:09:48
                                                                                    Start date:06/05/2021
                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                    Imagebase:0x7ff7488e0000
                                                                                    File size:51288 bytes
                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language

                                                                                    General

                                                                                    Start time:06:10:33
                                                                                    Start date:06/05/2021
                                                                                    Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                                                                                    Imagebase:0x7ff7640f0000
                                                                                    File size:455656 bytes
                                                                                    MD5 hash:A267555174BFA53844371226F482B86B
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language

                                                                                    General

                                                                                    Start time:06:10:34
                                                                                    Start date:06/05/2021
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff6b2800000
                                                                                    File size:625664 bytes
                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language

                                                                                    Disassembly

                                                                                    Code Analysis

                                                                                    Reset < >