Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report methodsnetsh.exe

Overview

General Information

Sample Name:methodsnetsh.exe
Analysis ID:450352
MD5:8e22080fe62e462723d231fe5c8ba98a
SHA1:8b58fd7bcd7083e5a326e7a04e10c0e0626ac4ca
SHA256:d082395ca1ce0c118edbff1e5bf1b1d4ad2db5aefa5691cc4c15bd94208a3cc0
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Emotet e-Banking trojan
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • methodsnetsh.exe (PID: 6032 cmdline: 'C:\Users\user\Desktop\methodsnetsh.exe' MD5: 8E22080FE62E462723D231FE5C8BA98A)
    • methodsnetsh.exe (PID: 5456 cmdline: --4a9ea48a MD5: 8E22080FE62E462723D231FE5C8BA98A)
  • svchost.exe (PID: 3412 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • sensorias.exe (PID: 5564 cmdline: C:\Windows\SysWOW64\sensorias.exe MD5: 8E22080FE62E462723D231FE5C8BA98A)
    • sensorias.exe (PID: 6036 cmdline: --606904f7 MD5: 8E22080FE62E462723D231FE5C8BA98A)
  • svchost.exe (PID: 6072 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5868 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5948 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5576 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2168 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 4168 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6096 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 4880 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 3596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 496 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.204962255.0000000000620000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000000.00000002.204962255.0000000000620000.00000040.00000001.sdmpEmotetEmotet Payloadkevoreilly
    • 0x18ec:$snippet2: 6A 13 68 01 00 01 00 FF 15 D8 1B 41 00 85 C0
    • 0x59a5:$snippet6: 33 C0 21 05 0C 3C 41 00 A3 08 3C 41 00 39 05 60 03 41 00 74 18 40 A3 08 3C 41 00 83 3C C5 60 03 ...
    00000000.00000002.204989867.00000000007D1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000000.00000002.204989867.00000000007D1000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
      • 0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 D8 1B 7E 00 85 C0
      • 0x5066:$snippet6: 33 C0 21 05 0C 3C 7E 00 A3 08 3C 7E 00 39 05 60 03 7E 00 74 18 40 A3 08 3C 7E 00 83 3C C5 60 03 ...
      00000006.00000002.224058115.0000000000AB0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.methodsnetsh.exe.6f053f.1.raw.unpackMAL_Emotet_Jan20_1Detects Emotet malwareFlorian Roth
        • 0x3177:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20
        • 0x315d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
        1.2.methodsnetsh.exe.6f053f.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
          1.2.methodsnetsh.exe.6f053f.1.raw.unpackEmotetEmotet Payloadkevoreilly
          • 0x13ad:$snippet2: 6A 13 68 01 00 01 00 FF 15 D8 1B 41 00 85 C0
          • 0x5466:$snippet6: 33 C0 21 05 0C 3C 41 00 A3 08 3C 41 00 39 05 60 03 41 00 74 18 40 A3 08 3C 41 00 83 3C C5 60 03 ...
          1.2.methodsnetsh.exe.6f053f.1.raw.unpackWin32_Trojan_EmotetunknownReversingLabs
          • 0xe52:$decrypt_resource_v1: 55 8B EC 83 EC 18 53 8B D9 8B C2 56 57 89 45 F0 8B 3B 33 F8 8B C7 89 7D EC 83 E0 03 75 05 8D 77 ...
          • 0xcfbf:$generate_filename_v1: 56 57 33 C0 BF 28 41 41 00 57 50 50 6A 1C 50 FF 15 A8 2B 41 00 BA 7E BC E6 47 B9 60 0D 41 00 E8 ...
          0.2.methodsnetsh.exe.62053f.1.raw.unpackMAL_Emotet_Jan20_1Detects Emotet malwareFlorian Roth
          • 0x3177:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20
          • 0x315d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
          Click to see the 23 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: methodsnetsh.exeAvira: detected
          Multi AV Scanner detection for submitted fileShow sources
          Source: methodsnetsh.exeVirustotal: Detection: 65%Perma Link
          Source: methodsnetsh.exeMetadefender: Detection: 56%Perma Link
          Source: methodsnetsh.exeReversingLabs: Detection: 86%
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009D207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009D1FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009D1F11 CryptExportKey,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009D215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009D1F56 CryptGetHashParam,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009D1F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EC207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EC1FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EC1F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EC1F11 CryptExportKey,
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EC215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EC1F56 CryptGetHashParam,
          Source: methodsnetsh.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_0042A049 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_0042A18A lstrlenA,FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_0042A049 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_0042A18A lstrlenA,FindFirstFileA,FindClose,
          Source: global trafficTCP traffic: 192.168.2.3:49744 -> 91.250.96.22:8080
          Source: Joe Sandbox ViewIP Address: 100.6.23.40 100.6.23.40
          Source: Joe Sandbox ViewIP Address: 100.6.23.40 100.6.23.40
          Source: global trafficTCP traffic: 192.168.2.3:49728 -> 100.6.23.40:80
          Source: global trafficTCP traffic: 192.168.2.3:49736 -> 200.71.200.4:443
          Source: global trafficTCP traffic: 192.168.2.3:49742 -> 190.114.244.182:443
          Source: unknownTCP traffic detected without corresponding DNS query: 100.6.23.40
          Source: unknownTCP traffic detected without corresponding DNS query: 100.6.23.40
          Source: unknownTCP traffic detected without corresponding DNS query: 100.6.23.40
          Source: unknownTCP traffic detected without corresponding DNS query: 200.71.200.4
          Source: unknownTCP traffic detected without corresponding DNS query: 200.71.200.4
          Source: unknownTCP traffic detected without corresponding DNS query: 200.71.200.4
          Source: unknownTCP traffic detected without corresponding DNS query: 190.114.244.182
          Source: unknownTCP traffic detected without corresponding DNS query: 190.114.244.182
          Source: unknownTCP traffic detected without corresponding DNS query: 190.114.244.182
          Source: unknownTCP traffic detected without corresponding DNS query: 91.250.96.22
          Source: unknownTCP traffic detected without corresponding DNS query: 91.250.96.22
          Source: unknownTCP traffic detected without corresponding DNS query: 91.250.96.22
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EC1383 InternetReadFile,
          Source: sensorias.exe, 00000007.00000002.468140623.000000000019A000.00000004.00000001.sdmpString found in binary or memory: http://91.250.96.22/LhqjdNLOiM5Uy7n
          Source: svchost.exe, 00000008.00000002.470899207.000001A9A7815000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
          Source: svchost.exe, 00000008.00000002.470899207.000001A9A7815000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
          Source: svchost.exe, 00000008.00000002.470899207.000001A9A7815000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
          Source: svchost.exe, 00000008.00000002.470502690.000001A9A7770000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: svchost.exe, 0000000D.00000002.308922083.000001DEADC13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
          Source: svchost.exe, 0000000B.00000002.468716637.0000020F47840000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
          Source: svchost.exe, 0000000B.00000002.468716637.0000020F47840000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
          Source: svchost.exe, 0000000B.00000002.468716637.0000020F47840000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
          Source: svchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
          Source: svchost.exe, 0000000B.00000002.468716637.0000020F47840000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
          Source: svchost.exe, 0000000B.00000002.468716637.0000020F47840000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
          Source: svchost.exe, 0000000D.00000003.307808919.000001DEADC5A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
          Source: svchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
          Source: svchost.exe, 0000000D.00000002.308957499.000001DEADC3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
          Source: svchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
          Source: svchost.exe, 0000000D.00000003.307770894.000001DEADC49000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
          Source: svchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
          Source: svchost.exe, 0000000D.00000002.308957499.000001DEADC3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
          Source: svchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
          Source: svchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
          Source: svchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
          Source: svchost.exe, 0000000D.00000002.308975544.000001DEADC42000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
          Source: svchost.exe, 0000000D.00000002.308975544.000001DEADC42000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
          Source: svchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
          Source: svchost.exe, 0000000D.00000002.309009360.000001DEADC5C000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.307826390.000001DEADC40000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
          Source: svchost.exe, 0000000D.00000003.307808919.000001DEADC5A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
          Source: svchost.exe, 0000000D.00000002.309009360.000001DEADC5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
          Source: svchost.exe, 0000000D.00000002.309009360.000001DEADC5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
          Source: svchost.exe, 0000000D.00000003.307770894.000001DEADC49000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
          Source: svchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
          Source: svchost.exe, 0000000D.00000002.308957499.000001DEADC3D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
          Source: svchost.exe, 0000000D.00000003.286040373.000001DEADC32000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
          Source: svchost.exe, 00000008.00000002.471027858.000001A9A7843000.00000004.00000001.sdmpString found in binary or memory: https://fs.microsoft.cH
          Source: svchost.exe, 0000000D.00000002.308957499.000001DEADC3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
          Source: svchost.exe, 0000000D.00000002.308922083.000001DEADC13000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.308957499.000001DEADC3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
          Source: svchost.exe, 0000000D.00000003.307841187.000001DEADC56000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
          Source: svchost.exe, 0000000D.00000003.307841187.000001DEADC56000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
          Source: svchost.exe, 0000000D.00000003.307826390.000001DEADC40000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
          Source: svchost.exe, 0000000D.00000003.307847685.000001DEADC41000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
          Source: svchost.exe, 0000000D.00000003.307770894.000001DEADC49000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
          Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
          Source: methodsnetsh.exe, 00000000.00000002.205022042.000000000084A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_0042CB9E GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_0042CB9E GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

          E-Banking Fraud:

          barindex
          Detected Emotet e-Banking trojanShow sources
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009DDE9C
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00ECDE9C
          Yara detected EmotetShow sources
          Source: Yara matchFile source: 1.2.methodsnetsh.exe.6f053f.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.methodsnetsh.exe.62053f.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.methodsnetsh.exe.62053f.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.sensorias.exe.ea053f.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.sensorias.exe.ea053f.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.sensorias.exe.ab053f.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.methodsnetsh.exe.6f053f.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.sensorias.exe.ab053f.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.204962255.0000000000620000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.204989867.00000000007D1000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.224058115.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.224911448.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.224082773.0000000000F61000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.469150686.0000000000EC1000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.469102796.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.225065332.00000000009D1000.00000020.00000001.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009D1F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EC1F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 1.2.methodsnetsh.exe.6f053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: 1.2.methodsnetsh.exe.6f053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
          Source: 0.2.methodsnetsh.exe.62053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: 0.2.methodsnetsh.exe.62053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
          Source: 0.2.methodsnetsh.exe.62053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: 7.2.sensorias.exe.ea053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: 7.2.sensorias.exe.ea053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: 7.2.sensorias.exe.ea053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
          Source: 6.2.sensorias.exe.ab053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: 1.2.methodsnetsh.exe.6f053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: 6.2.sensorias.exe.ab053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: 6.2.sensorias.exe.ab053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
          Source: 00000000.00000002.204962255.0000000000620000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: 00000000.00000002.204989867.00000000007D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: 00000006.00000002.224058115.0000000000AB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: 00000001.00000002.224911448.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: 00000006.00000002.224082773.0000000000F61000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: 00000007.00000002.469150686.0000000000EC1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: 00000007.00000002.469102796.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: 00000001.00000002.225065332.00000000009D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009DE068 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009D1D2B CreateProcessAsUserW,CreateProcessW,
          Source: C:\Windows\SysWOW64\sensorias.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
          Source: C:\Users\user\Desktop\methodsnetsh.exeFile deleted: C:\Windows\SysWOW64\sensorias.exe:Zone.IdentifierJump to behavior
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_0041D2A4
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_0042DBF6
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_00420CE2
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_0041D2A4
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_0042DBF6
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_00420CE2
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_006F30E8
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_006F30E4
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_006F28C1
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009D2F82
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009D37A9
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009D37A5
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00AB30E8
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00AB30E4
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00AB28C1
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00F637A5
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00F637A9
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00F62F82
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EA30E8
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EA30E4
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EA28C1
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EC37A9
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EC37A5
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EC2F82
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: String function: 0041F843 appears 36 times
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: String function: 00420649 appears 43 times
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: String function: 00431FE2 appears 40 times
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: String function: 0041DC48 appears 90 times
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: String function: 0041D6AC appears 111 times
          Source: methodsnetsh.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: methodsnetsh.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: methodsnetsh.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: methodsnetsh.exe, 00000000.00000002.204812573.0000000000442000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDShowEncoder.EXER vs methodsnetsh.exe
          Source: methodsnetsh.exe, 00000001.00000002.224720605.0000000000442000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDShowEncoder.EXER vs methodsnetsh.exe
          Source: methodsnetsh.exe, 00000001.00000002.225734467.00000000029E0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs methodsnetsh.exe
          Source: methodsnetsh.exe, 00000001.00000002.225734467.00000000029E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs methodsnetsh.exe
          Source: methodsnetsh.exe, 00000001.00000002.225577349.00000000028E0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs methodsnetsh.exe
          Source: methodsnetsh.exeBinary or memory string: OriginalFilenameDShowEncoder.EXER vs methodsnetsh.exe
          Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
          Source: methodsnetsh.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 1.2.methodsnetsh.exe.6f053f.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 1.2.methodsnetsh.exe.6f053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 1.2.methodsnetsh.exe.6f053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
          Source: 0.2.methodsnetsh.exe.62053f.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 0.2.methodsnetsh.exe.62053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 0.2.methodsnetsh.exe.62053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
          Source: 0.2.methodsnetsh.exe.62053f.1.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 0.2.methodsnetsh.exe.62053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 7.2.sensorias.exe.ea053f.1.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 7.2.sensorias.exe.ea053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 7.2.sensorias.exe.ea053f.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 7.2.sensorias.exe.ea053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 7.2.sensorias.exe.ea053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
          Source: 6.2.sensorias.exe.ab053f.1.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 6.2.sensorias.exe.ab053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 1.2.methodsnetsh.exe.6f053f.1.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 1.2.methodsnetsh.exe.6f053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 6.2.sensorias.exe.ab053f.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 6.2.sensorias.exe.ab053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 6.2.sensorias.exe.ab053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
          Source: 00000000.00000002.204962255.0000000000620000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 00000000.00000002.204989867.00000000007D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 00000006.00000002.224058115.0000000000AB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 00000001.00000002.224911448.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 00000006.00000002.224082773.0000000000F61000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 00000007.00000002.469150686.0000000000EC1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 00000007.00000002.469102796.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 00000001.00000002.225065332.00000000009D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: classification engineClassification label: mal96.bank.troj.evad.winEXE@18/7@0/5
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009D1943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_00402170 CoCreateInstance,VariantInit,VariantClear,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_00407190 CoInitialize,FindResourceA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessa
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009DE138 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,
          Source: C:\Users\user\Desktop\methodsnetsh.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
          Source: C:\Windows\SysWOW64\sensorias.exeMutant created: \BaseNamedObjects\Global\I5ADD31F0
          Source: C:\Users\user\Desktop\methodsnetsh.exeMutant created: \Sessions\1\BaseNamedObjects\Global\I5ADD31F0
          Source: C:\Users\user\Desktop\methodsnetsh.exeMutant created: \Sessions\1\BaseNamedObjects\Global\M5ADD31F0
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3596:120:WilError_01
          Source: methodsnetsh.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\methodsnetsh.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\methodsnetsh.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: methodsnetsh.exeVirustotal: Detection: 65%
          Source: methodsnetsh.exeMetadefender: Detection: 56%
          Source: methodsnetsh.exeReversingLabs: Detection: 86%
          Source: C:\Windows\SysWOW64\sensorias.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
          Source: unknownProcess created: C:\Users\user\Desktop\methodsnetsh.exe 'C:\Users\user\Desktop\methodsnetsh.exe'
          Source: C:\Users\user\Desktop\methodsnetsh.exeProcess created: C:\Users\user\Desktop\methodsnetsh.exe --4a9ea48a
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
          Source: unknownProcess created: C:\Windows\SysWOW64\sensorias.exe C:\Windows\SysWOW64\sensorias.exe
          Source: C:\Windows\SysWOW64\sensorias.exeProcess created: C:\Windows\SysWOW64\sensorias.exe --606904f7
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
          Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
          Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
          Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
          Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\methodsnetsh.exeProcess created: C:\Users\user\Desktop\methodsnetsh.exe --4a9ea48a
          Source: C:\Windows\SysWOW64\sensorias.exeProcess created: C:\Windows\SysWOW64\sensorias.exe --606904f7
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
          Source: C:\Users\user\Desktop\methodsnetsh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_0042D282 LoadLibraryA,GetProcAddress,FreeLibrary,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_0041D3B0 push eax; ret
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_0041D3B0 push eax; ret
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_0041DC83 push ecx; ret
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_0041D6AC push eax; ret
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_0041D3B0 push eax; ret
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_0041D3B0 push eax; ret
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_0041DC83 push ecx; ret
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_0041D6AC push eax; ret
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_006FFD71 push edx; retf
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_006FFD52 push edx; iretd
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_006FFAF1 push edx; retf
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_006FFAD3 push edx; iretd
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_006FFB77 push edx; iretd
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_006FFB0F push edx; retf
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_006FFB1A push edx; retf
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00ABFAF1 push edx; retf
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00ABFAD3 push edx; iretd
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00ABFB0F push edx; retf
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00ABFB1A push edx; retf
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00ABFD71 push edx; retf
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00ABFB77 push edx; iretd
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00ABFD52 push edx; iretd
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EAFAF1 push edx; retf
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EAFAD3 push edx; iretd
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EAFD71 push edx; retf
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EAFB77 push edx; iretd
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EAFD52 push edx; iretd
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EAFB0F push edx; retf
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EAFB1A push edx; retf

          Persistence and Installation Behavior:

          barindex
          Drops executables to the windows directory (C:\Windows) and starts themShow sources
          Source: C:\Windows\SysWOW64\sensorias.exeExecutable created and started: C:\Windows\SysWOW64\sensorias.exe
          Source: C:\Users\user\Desktop\methodsnetsh.exePE file moved: C:\Windows\SysWOW64\sensorias.exeJump to behavior
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009DE138 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\methodsnetsh.exeFile opened: C:\Windows\SysWOW64\sensorias.exe:Zone.Identifier read attributes | delete
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_0041BA20 IsIconic,GetWindowPlacement,GetWindowRect,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_0041ABB0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_0041BA20 IsIconic,GetWindowPlacement,GetWindowRect,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_0041ABB0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,
          Source: C:\Users\user\Desktop\methodsnetsh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\methodsnetsh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\methodsnetsh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\methodsnetsh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\methodsnetsh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\methodsnetsh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\methodsnetsh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\sensorias.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\sensorias.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\sensorias.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\sensorias.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\sensorias.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\sensorias.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Found evasive API chain (may stop execution after checking mutex)Show sources
          Source: C:\Windows\SysWOW64\sensorias.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
          Source: C:\Users\user\Desktop\methodsnetsh.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,
          Source: C:\Users\user\Desktop\methodsnetsh.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
          Source: C:\Windows\System32\svchost.exe TID: 1708Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\methodsnetsh.exeFile Volume queried: C:\ FullSizeInformation
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_0042A049 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_0042A18A lstrlenA,FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_0042A049 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_0042A18A lstrlenA,FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_0041D1C0 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,
          Source: svchost.exe, 00000008.00000002.471152337.000001A9A7862000.00000004.00000001.sdmpBinary or memory string: "@Hyper-V RAW
          Source: svchost.exe, 00000005.00000002.233084974.0000022060E60000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.282824452.0000028D46D40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.469860522.0000020F48390000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.301200201.0000021FEB340000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: svchost.exe, 00000008.00000002.468520785.000001A9A2029000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
          Source: svchost.exe, 00000005.00000002.233084974.0000022060E60000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.282824452.0000028D46D40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.469860522.0000020F48390000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.301200201.0000021FEB340000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: svchost.exe, 00000005.00000002.233084974.0000022060E60000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.282824452.0000028D46D40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.469860522.0000020F48390000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.301200201.0000021FEB340000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: svchost.exe, 0000000B.00000002.468716637.0000020F47840000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.468505526.00000219B1E2A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: svchost.exe, 00000005.00000002.233084974.0000022060E60000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.282824452.0000028D46D40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.469860522.0000020F48390000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.301200201.0000021FEB340000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\methodsnetsh.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\Desktop\methodsnetsh.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\Desktop\methodsnetsh.exeAPI call chain: ExitProcess graph end node
          Source: C:\Windows\SysWOW64\sensorias.exeAPI call chain: ExitProcess graph end node
          Source: C:\Windows\SysWOW64\sensorias.exeAPI call chain: ExitProcess graph end node
          Source: C:\Windows\SysWOW64\sensorias.exeAPI call chain: ExitProcess graph end node
          Source: C:\Windows\SysWOW64\sensorias.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_0042D282 LoadLibraryA,GetProcAddress,FreeLibrary,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_004029B0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_004029B0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_006E0350 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_006F0467 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_006F0C0C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_006F1743 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009D12CD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009D1E04 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00AA0350 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00AB0C0C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00AB0467 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00AB1743 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00F612CD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00F61E04 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00BB0350 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EA0467 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EA0C0C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EA1743 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EC12CD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EC1E04 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009D14F2 GetProcessHeap,RtlAllocateHeap,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_0042058B SetUnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_0042059F SetUnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_0042058B SetUnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_0042059F SetUnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_006FE1F7 cpuid
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: lstrcpyA,LoadLibraryA,GetLocaleInfoA,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: GetLocaleInfoA,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: lstrcpyA,LoadLibraryA,GetLocaleInfoA,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: GetLocaleInfoA,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
          Source: C:\Users\user\Desktop\methodsnetsh.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\Desktop\methodsnetsh.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\sensorias.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_00421EEF GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_00422423 __lock,_strlen,_strcat,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,_strncpy,
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_0041B88D GetVersionExA,
          Source: C:\Users\user\Desktop\methodsnetsh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Lowering of HIPS / PFW / Operating System Security Settings:

          barindex
          Changes security center settings (notifications, updates, antivirus, firewall)Show sources
          Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
          Source: svchost.exe, 0000000F.00000002.468702298.000001FDA3A3D000.00000004.00000001.sdmpBinary or memory string: (@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
          Source: svchost.exe, 0000000F.00000002.468733692.000001FDA3B02000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

          Stealing of Sensitive Information:

          barindex
          Yara detected EmotetShow sources
          Source: Yara matchFile source: 1.2.methodsnetsh.exe.6f053f.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.methodsnetsh.exe.62053f.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.methodsnetsh.exe.62053f.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.sensorias.exe.ea053f.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.sensorias.exe.ea053f.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.sensorias.exe.ab053f.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.methodsnetsh.exe.6f053f.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.sensorias.exe.ab053f.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.204962255.0000000000620000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.204989867.00000000007D1000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.224058115.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.224911448.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.224082773.0000000000F61000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.469150686.0000000000EC1000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.469102796.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.225065332.00000000009D1000.00000020.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1Windows Management Instrumentation1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1Input Capture2System Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
          Default AccountsNative API121Valid Accounts1Valid Accounts1Deobfuscate/Decode Files or Information1LSASS MemorySystem Service Discovery1Remote Desktop ProtocolInput Capture2Exfiltration Over BluetoothEncrypted Channel22Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsCommand and Scripting Interpreter2Windows Service12Access Token Manipulation1Obfuscated Files or Information2Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsService Execution12Logon Script (Mac)Windows Service12DLL Side-Loading1NTDSSystem Information Discovery46Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptProcess Injection1File Deletion1LSA SecretsSecurity Software Discovery41SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading121Cached Domain CredentialsVirtualization/Sandbox Evasion2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsValid Accounts1DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion2Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation1/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
          Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronHidden Files and Directories1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          methodsnetsh.exe66%VirustotalBrowse
          methodsnetsh.exe59%MetadefenderBrowse
          methodsnetsh.exe86%ReversingLabsWin32.Trojan.Emotet
          methodsnetsh.exe100%AviraHEUR/AGEN.1123999

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.2.methodsnetsh.exe.400000.0.unpack100%AviraHEUR/AGEN.1123999Download File
          1.0.methodsnetsh.exe.400000.0.unpack100%AviraHEUR/AGEN.1123999Download File
          6.0.sensorias.exe.400000.0.unpack100%AviraHEUR/AGEN.1123999Download File
          0.2.methodsnetsh.exe.62053f.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          7.2.sensorias.exe.ea053f.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          7.0.sensorias.exe.400000.0.unpack100%AviraHEUR/AGEN.1123999Download File
          7.2.sensorias.exe.400000.0.unpack100%AviraHEUR/AGEN.1123999Download File
          6.2.sensorias.exe.ab053f.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          0.0.methodsnetsh.exe.400000.0.unpack100%AviraHEUR/AGEN.1123999Download File
          6.2.sensorias.exe.400000.0.unpack100%AviraHEUR/AGEN.1123999Download File
          1.2.methodsnetsh.exe.6f053f.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          0.2.methodsnetsh.exe.400000.0.unpack100%AviraHEUR/AGEN.1123999Download File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://91.250.96.22/LhqjdNLOiM5Uy7n0%Avira URL Cloudsafe
          https://%s.xboxlive.com0%URL Reputationsafe
          https://%s.xboxlive.com0%URL Reputationsafe
          https://%s.xboxlive.com0%URL Reputationsafe
          https://%s.xboxlive.com0%URL Reputationsafe
          https://dynamic.t0%URL Reputationsafe
          https://dynamic.t0%URL Reputationsafe
          https://dynamic.t0%URL Reputationsafe
          https://dynamic.t0%URL Reputationsafe
          https://fs.microsoft.cH0%Avira URL Cloudsafe
          https://%s.dnet.xboxlive.com0%URL Reputationsafe
          https://%s.dnet.xboxlive.com0%URL Reputationsafe
          https://%s.dnet.xboxlive.com0%URL Reputationsafe
          https://%s.dnet.xboxlive.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmpfalse
            		high
            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 0000000D.00000003.307841187.000001DEADC56000.00000004.00000001.sdmpfalse
              		high
              https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000D.00000002.308957499.000001DEADC3D000.00000004.00000001.sdmpfalse
                		high
                https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmpfalse
                  		high
                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000D.00000002.308957499.000001DEADC3D000.00000004.00000001.sdmpfalse
                    		high
                    http://91.250.96.22/LhqjdNLOiM5Uy7nsensorias.exe, 00000007.00000002.468140623.000000000019A000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 0000000D.00000003.307770894.000001DEADC49000.00000004.00000001.sdmpfalse
                      		high
                      https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000D.00000002.308957499.000001DEADC3D000.00000004.00000001.sdmpfalse
                        		high
                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 0000000D.00000003.307841187.000001DEADC56000.00000004.00000001.sdmpfalse
                          		high
                          https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmpfalse
                            		high
                            https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000D.00000002.309009360.000001DEADC5C000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.307826390.000001DEADC40000.00000004.00000001.sdmpfalse
                              		high
                              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000D.00000002.308922083.000001DEADC13000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.308957499.000001DEADC3D000.00000004.00000001.sdmpfalse
                                		high
                                https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 0000000D.00000002.308975544.000001DEADC42000.00000004.00000001.sdmpfalse
                                  		high
                                  https://%s.xboxlive.comsvchost.exe, 0000000B.00000002.468716637.0000020F47840000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		low
                                  https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000D.00000003.307770894.000001DEADC49000.00000004.00000001.sdmpfalse
                                    		high
                                    https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmpfalse
                                      		high
                                      https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000D.00000003.286040373.000001DEADC32000.00000004.00000001.sdmpfalse
                                        		high
                                        https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmpfalse
                                          		high
                                          https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmpfalse
                                            		high
                                            https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000D.00000003.307808919.000001DEADC5A000.00000004.00000001.sdmpfalse
                                              		high
                                              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000000D.00000003.307826390.000001DEADC40000.00000004.00000001.sdmpfalse
                                                		high
                                                https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 0000000D.00000002.309009360.000001DEADC5C000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.svchost.exe, 00000008.00000002.470502690.000001A9A7770000.00000002.00000001.sdmpfalse
                                                    		high
                                                    https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000D.00000002.308975544.000001DEADC42000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://dynamic.tsvchost.exe, 0000000D.00000003.307770894.000001DEADC49000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 0000000D.00000003.307847685.000001DEADC41000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://appexmapsappupdate.blob.core.windows.netsvchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000D.00000002.309009360.000001DEADC5C000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://fs.microsoft.cHsvchost.exe, 00000008.00000002.471027858.000001A9A7843000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://activity.windows.comsvchost.exe, 0000000B.00000002.468716637.0000020F47840000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://www.bingmapsportal.comsvchost.exe, 0000000D.00000002.308922083.000001DEADC13000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000D.00000002.308957499.000001DEADC3D000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://%s.dnet.xboxlive.comsvchost.exe, 0000000B.00000002.468716637.0000020F47840000.00000004.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		low
                                                                      https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000D.00000003.307808919.000001DEADC5A000.00000004.00000001.sdmpfalse
                                                                        		high

                                                                        Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        91.250.96.22
                                                                        		unknownGermany
                                                                        		8972GD-EMEA-DC-SXB1DEfalse
                                                                        100.6.23.40
                                                                        		unknownUnited States
                                                                        		701UUNETUSfalse
                                                                        190.114.244.182
                                                                        		unknownVenezuela
                                                                        		28007GoldDataCAVEfalse
                                                                        200.71.200.4
                                                                        		unknownChile
                                                                        		20015FullComSACLfalse

                                                                        Private

                                                                        IP
                                                                        127.0.0.1

                                                                        General Information

                                                                        Joe Sandbox Version:33.0.0 White Diamond
                                                                        Analysis ID:450352
                                                                        Start date:18.07.2021
                                                                        Start time:17:47:50
                                                                        Joe Sandbox Product:CloudBasic
                                                                        Overall analysis duration:0h 10m 7s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:light
                                                                        Sample file name:methodsnetsh.exe
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                        Number of analysed new started processes analysed:25
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:0
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • HDC enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Detection:MAL
                                                                        Classification:mal96.bank.troj.evad.winEXE@18/7@0/5
                                                                        EGA Information:
                                                                        • Successful, ratio: 100%
                                                                        HDC Information:Failed
                                                                        HCA Information:
                                                                        • Successful, ratio: 100%
                                                                        • Number of executed functions: 0
                                                                        • Number of non-executed functions: 0
                                                                        Cookbook Comments:
                                                                        • Adjust boot time
                                                                        • Enable AMSI
                                                                        • Found application associated with file extension: .exe
                                                                        Warnings:
                                                                        Show All
                                                                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, UsoClient.exe
                                                                        • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 20.82.210.154, 13.88.21.125, 104.43.193.48, 23.211.6.115, 23.35.236.56, 20.50.102.62, 173.222.108.226, 173.222.108.210, 51.103.5.159, 40.112.88.60, 80.67.82.211, 80.67.82.235
                                                                        • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net
                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        17:49:04API Interceptor2x Sleep call for process: svchost.exe modified
                                                                        17:50:19API Interceptor1x Sleep call for process: MpCmdRun.exe modified

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        91.250.96.22ipmimaker.exeGet hashmaliciousBrowse
                                                                          100.6.23.40http://nofile.ir/wp-content/INC/hzv4v7-855-1188-y244-rxvi/Get hashmaliciousBrowse
                                                                          • 100.6.23.40/DaV5
                                                                          https://sharevission.com/wp-content/statement/Get hashmaliciousBrowse
                                                                          • 100.6.23.40/XXex1CeJN
                                                                          http://membros.rendaprevi.com.br/wp-content/OCT/yysn5-130737-9201067-melm80sxj-72bezyorg7Get hashmaliciousBrowse
                                                                          • 100.6.23.40/tFCwNOMvoMKPyZws
                                                                          https://www.scriptmarket.cn/aspnet_client/payment/3gktoj3r/bild-72121-071870-9ebzsg4dasb-q8ak1kms1r/Get hashmaliciousBrowse
                                                                          • 100.6.23.40/MMunsXz6R9eebVAh0z2
                                                                          https://istoselides.zerman.store/test/balance/vh8-20243-290351909-unq1qu11n-9xg9czfo1cGet hashmaliciousBrowse
                                                                          • 100.6.23.40/143VIBS
                                                                          http://bellconsulting.co.in/fonts/balance/4jh-114249-3812-3getwfervju-3fw88reu/Get hashmaliciousBrowse
                                                                          • 100.6.23.40/Vk87Wb1LgM3oF4zHE
                                                                          http://bellconsulting.co.in/fonts/balance/4jh-114249-3812-3getwfervju-3fw88reuGet hashmaliciousBrowse
                                                                          • 100.6.23.40/cmA0qp
                                                                          190.114.244.182ipmimaker.exeGet hashmaliciousBrowse
                                                                            200.71.200.4ipmimaker.exeGet hashmaliciousBrowse
                                                                              IWW-010120 NJO-011820.docGet hashmaliciousBrowse

                                                                                Domains

                                                                                No context

                                                                                ASN

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                GD-EMEA-DC-SXB1DEmormanti.exeGet hashmaliciousBrowse
                                                                                • 83.169.21.32
                                                                                deepRats.exeGet hashmaliciousBrowse
                                                                                • 85.25.213.211
                                                                                4zL5XaZ4kc.exeGet hashmaliciousBrowse
                                                                                • 37.61.205.212
                                                                                Qbat1G0Mop.exeGet hashmaliciousBrowse
                                                                                • 37.61.205.212
                                                                                NWMEaRqF7s.exeGet hashmaliciousBrowse
                                                                                • 62.75.141.82
                                                                                rOFZ7NRC7X.exeGet hashmaliciousBrowse
                                                                                • 188.93.8.132
                                                                                xwKdahKPn8.exeGet hashmaliciousBrowse
                                                                                • 87.230.93.218
                                                                                boI88C399w.exeGet hashmaliciousBrowse
                                                                                • 62.75.141.82
                                                                                boI88C399w.exeGet hashmaliciousBrowse
                                                                                • 62.75.141.82
                                                                                dqVPlpmWYt.exeGet hashmaliciousBrowse
                                                                                • 85.25.199.56
                                                                                wZtsCbg7ty.exeGet hashmaliciousBrowse
                                                                                • 77.91.233.67
                                                                                u3O3kHV2IT.exeGet hashmaliciousBrowse
                                                                                • 134.119.45.197
                                                                                SecuriteInfo.com.BackDoor.Rat.281.18292.exeGet hashmaliciousBrowse
                                                                                • 85.25.185.17
                                                                                CIh8xCD9fi.exeGet hashmaliciousBrowse
                                                                                • 188.138.33.41
                                                                                Shipping Doc578.exeGet hashmaliciousBrowse
                                                                                • 92.204.54.9
                                                                                8mnXkjPdP0.exeGet hashmaliciousBrowse
                                                                                • 188.138.33.41
                                                                                SecuriteInfo.com.VB.Trojan.Valyria.4515.27984.xlsGet hashmaliciousBrowse
                                                                                • 62.75.161.205
                                                                                CaUGJzgC.php.dllGet hashmaliciousBrowse
                                                                                • 62.75.161.205
                                                                                CaUGJzgC.php.dllGet hashmaliciousBrowse
                                                                                • 62.75.161.205
                                                                                inv062021.exeGet hashmaliciousBrowse
                                                                                • 85.25.177.199
                                                                                GoldDataCAVEMkisahOBqH.dllGet hashmaliciousBrowse
                                                                                • 190.52.102.57
                                                                                UUNETUSiGet hashmaliciousBrowse
                                                                                • 100.49.120.210
                                                                                deepRats.exeGet hashmaliciousBrowse
                                                                                • 96.253.78.108
                                                                                DpuO7oic9y.exeGet hashmaliciousBrowse
                                                                                • 98.117.195.74
                                                                                NWMEaRqF7s.exeGet hashmaliciousBrowse
                                                                                • 173.62.217.22
                                                                                Remote Support-windows64-online.exeGet hashmaliciousBrowse
                                                                                • 72.76.226.13
                                                                                segYCksCNt.exeGet hashmaliciousBrowse
                                                                                • 96.231.136.12
                                                                                boI88C399w.exeGet hashmaliciousBrowse
                                                                                • 173.63.222.65
                                                                                boI88C399w.exeGet hashmaliciousBrowse
                                                                                • 173.63.222.65
                                                                                mjzvlwauGet hashmaliciousBrowse
                                                                                • 65.253.41.93
                                                                                networkservice.exeGet hashmaliciousBrowse
                                                                                • 206.112.139.168
                                                                                9cf2c56e_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                • 74.108.124.180
                                                                                8UsA.shGet hashmaliciousBrowse
                                                                                • 108.30.94.39
                                                                                Host Process For Windows Tasks.exeGet hashmaliciousBrowse
                                                                                • 100.15.49.234
                                                                                nT7K5GG5kmGet hashmaliciousBrowse
                                                                                • 186.64.54.15
                                                                                KnAY2OIPI3Get hashmaliciousBrowse
                                                                                • 100.58.97.165
                                                                                x86_unpackedGet hashmaliciousBrowse
                                                                                • 203.102.4.9
                                                                                ppc_unpackedGet hashmaliciousBrowse
                                                                                • 65.253.89.22
                                                                                JRyLnlTR1OGet hashmaliciousBrowse
                                                                                • 108.27.92.79
                                                                                ldr.shGet hashmaliciousBrowse
                                                                                • 108.54.61.15
                                                                                rIbyGX66OpGet hashmaliciousBrowse
                                                                                • 68.129.151.18

                                                                                JA3 Fingerprints

                                                                                No context

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\1942f959aae25ff5e177f0a0e912022f_d06ed635-68f6-4e9a-955c-4899f5f57b9a
                                                                                Process:C:\Windows\SysWOW64\sensorias.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):57
                                                                                Entropy (8bit):2.062967662624547
                                                                                Encrypted:false
                                                                                SSDEEP:3:/lEltfgnwT:yvT
                                                                                MD5:B5D2B9D74D52DAC47A3F3CB1D065305F
                                                                                SHA1:41A4742BC23F3A6FF61C60884604DA6448FFF274
                                                                                SHA-256:6359A4FCB0DABE70B88913A6A03CC21385459B8A924A6B3688A2E185C54DAAFA
                                                                                SHA-512:01EA77C5972D33494C10D6ADB47CB3F30EAC1AA4B93D6BAAFB75299AA99FED818A6275801BAAE92C18AC5D3C64443BB631A63C2B39B1B88BCD774218BB2B990F
                                                                                Malicious:false
                                                                                Preview: ........................................computer$.
                                                                                C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):4096
                                                                                Entropy (8bit):0.5921564533653279
                                                                                Encrypted:false
                                                                                SSDEEP:6:0Fkcek1GaD0JOCEfMuaaD0JOCEfMKQmDpzh/tAl/gz2cE0fMbhEZolrRSQ2hyYI8:01GaD0JcaaD0JwQQRh/tAg/0bjSQJ
                                                                                MD5:113FD5F57C68BE1CD79EE5B4A4A94815
                                                                                SHA1:0B14D9A719D31D6CCB384C6B11913DA0E910D65A
                                                                                SHA-256:06C45184851B6B33F0D27C62282A411F3CFA3CE38284E5208C362C88EC2BB6C3
                                                                                SHA-512:337ADCB907F2EF5DBAF8D57A40C9BBAA21CFB07DCF9A55E5AA438E2AEFD365DD237E167C53000D97AAB5DB5FC3B249AAF38875FC17A887C3FC2232364C12E6EA
                                                                                Malicious:false
                                                                                Preview: ......:{..(......1...y%.............. ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................1...y%...........&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................
                                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x99fb9f13, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                Category:dropped
                                                                                Size (bytes):32768
                                                                                Entropy (8bit):0.09453052983328276
                                                                                Encrypted:false
                                                                                SSDEEP:6:mzwl/+9iRIE11Y8TRXcfWqKozwl/+9iRIE11Y8TRXcfWqK:m0+9iO4blcf1Ko0+9iO4blcf1K
                                                                                MD5:50E5B561598CBAB9303B7DBB607857B2
                                                                                SHA1:39B79BDD8D2BF8847C27C84646CD9E7F52F6E350
                                                                                SHA-256:16E60E7B0279AF13DDC3450FE9CB2E03BBDDC58BA68B153AEC313FB06B8BFDD9
                                                                                SHA-512:A16D50C436ABBE542AB9FAC12DF1D24AC33759EA4AF4779AF676539579BBC69E9FA719AFA525798941B52FA463D77B0474BC18E0C34BFBF7F23D7C9A16D216DD
                                                                                Malicious:false
                                                                                Preview: ....... ................e.f.3...w........................&..........w...1...y%.h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w...........................................................................................................................................................................................................................................1...y%m................9.oa.1...y%.........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):8192
                                                                                Entropy (8bit):0.10865628380359972
                                                                                Encrypted:false
                                                                                SSDEEP:3:ntTEvhnIp+/t+Al/bJdAtiufUcAplllill:A9/t+At4/fWG
                                                                                MD5:0A4E1DE4FB960ADFE97339C432EB562B
                                                                                SHA1:81C02AB7F5B6D57A08200D88FB755918147AEC82
                                                                                SHA-256:58A57359E41D52C0F3BC7675DC538B45384BC7E536059E279904B092C369D4F2
                                                                                SHA-512:45E18DBEC85FADC44C6893E2A6DB3E4528E1540BC8002799F4F4926D8FCB4846B69F4A958F53E24A7C61424958D7E289803402B8A2DB536F6DD13CB575967128
                                                                                Malicious:false
                                                                                Preview: .........................................3...w...1...y%......w...............w.......w....:O.....w..................9.oa.1...y%.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a
                                                                                Process:C:\Users\user\Desktop\methodsnetsh.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):46
                                                                                Entropy (8bit):1.0424600748477153
                                                                                Encrypted:false
                                                                                SSDEEP:3:/lbON:u
                                                                                MD5:89CA7E02D8B79ED50986F098D5686EC9
                                                                                SHA1:A602E0D4398F00C827BFCF711066E67718CA1377
                                                                                SHA-256:30AC626CBD4A97DB480A0379F6D2540195F594C967B7087A26566E352F24C794
                                                                                SHA-512:C5F453E32C0297E51BE43F84A7E63302E7D1E471FADF8BB789C22A4D6E03712D26E2B039D6FBDBD9EBD35C4E93EC27F03684A7BBB67C4FADCCE9F6279417B5DE
                                                                                Malicious:false
                                                                                Preview: ........................................user.
                                                                                C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):55
                                                                                Entropy (8bit):4.306461250274409
                                                                                Encrypted:false
                                                                                SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                Malicious:false
                                                                                Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                                                                C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
                                                                                Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                File Type:data
                                                                                Category:modified
                                                                                Size (bytes):906
                                                                                Entropy (8bit):3.1549544060771617
                                                                                Encrypted:false
                                                                                SSDEEP:12:58KRBubdpkoF1AG3rZB2uD9Ck9+MlWlLehB4yAq7ejC4B2uD9P:OaqdmuF3rjf+kWReH4yJ7MrF
                                                                                MD5:1E366452F97A8482ECB9C00961CFB6CE
                                                                                SHA1:DD546B50184AB1398846B2497CACE845E7C068EB
                                                                                SHA-256:0975D17236669342BD464FE84038355F5335D7B36BDBAE20B578DDF57A8AC656
                                                                                SHA-512:D01A8C3B787F9BCD6646B8C50592F4E643D8CB6A515729BA2538C936B45E7DB08C773E7DAE3920B1F510857910EA6A42983FBC92AAD65DD93F5A53247114756A
                                                                                Malicious:false
                                                                                Preview: ........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. S.u.n. .. J.u.l. .. 1.8. .. 2.0.2.1. .1.7.:.5.0.:.1.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. S.u.n. .. J.u.l. .. 1.8. .. 2.0.2.1. .1.7.:.5.0.:.1.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Entropy (8bit):6.095719913394487
                                                                                TrID:
                                                                                • Win32 Executable (generic) a (10002005/4) 99.83%
                                                                                • Windows Screen Saver (13104/52) 0.13%
                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                File name:methodsnetsh.exe
                                                                                File size:352278
                                                                                MD5:8e22080fe62e462723d231fe5c8ba98a
                                                                                SHA1:8b58fd7bcd7083e5a326e7a04e10c0e0626ac4ca
                                                                                SHA256:d082395ca1ce0c118edbff1e5bf1b1d4ad2db5aefa5691cc4c15bd94208a3cc0
                                                                                SHA512:ad73acccf790f4962e8c67bfa4cdfc189b0e8bfb54af94902294f7b55c000a877cce7e22becd095133b701a5966a8b3809b850bcd5c24d30fe3c14584b09cbd7
                                                                                SSDEEP:6144:keeqOehy0o9z+dfMfpwZZZZw/zkF5+ZymSRln98x:nVjt8Pri5+ZIX9
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._..._..._.......X...L...]...Z...C...Z.......t...V.......W.......N..._...G.......^...Z...9.......^...Z...^...Rich_..........

                                                                                File Icon

                                                                                Icon Hash:e0e2dbc5ddd1d9d9

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x41d436
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:false
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                DLL Characteristics:
                                                                                Time Stamp:0x5E21F7F3 [Fri Jan 17 18:07:47 2020 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:4
                                                                                OS Version Minor:0
                                                                                File Version Major:4
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:4
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:95079c0595744051842d53e9a3ed2db3

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                push 00000060h
                                                                                push 00436818h
                                                                                call 00007FDF88B6C79Bh
                                                                                mov edi, 00000094h
                                                                                mov eax, edi
                                                                                call 00007FDF88B6BEF7h
                                                                                mov dword ptr [ebp-18h], esp
                                                                                mov esi, esp
                                                                                mov dword ptr [esi], edi
                                                                                push esi
                                                                                call dword ptr [00434254h]
                                                                                mov ecx, dword ptr [esi+10h]
                                                                                mov dword ptr [0043F8F8h], ecx
                                                                                mov eax, dword ptr [esi+04h]
                                                                                mov dword ptr [0043F904h], eax
                                                                                mov edx, dword ptr [esi+08h]
                                                                                mov dword ptr [0043F908h], edx
                                                                                mov esi, dword ptr [esi+0Ch]
                                                                                and esi, 00007FFFh
                                                                                mov dword ptr [0043F8FCh], esi
                                                                                cmp ecx, 02h
                                                                                je 00007FDF88B6BF9Eh
                                                                                or esi, 00008000h
                                                                                mov dword ptr [0043F8FCh], esi
                                                                                shl eax, 08h
                                                                                add eax, edx
                                                                                mov dword ptr [0043F900h], eax
                                                                                xor esi, esi
                                                                                push esi
                                                                                mov edi, dword ptr [00434198h]
                                                                                call edi
                                                                                cmp word ptr [eax], 5A4Dh
                                                                                jne 00007FDF88B6BFB1h
                                                                                mov ecx, dword ptr [eax+3Ch]
                                                                                add ecx, eax
                                                                                cmp dword ptr [ecx], 00004550h
                                                                                jne 00007FDF88B6BFA4h
                                                                                movzx eax, word ptr [ecx+18h]
                                                                                cmp eax, 0000010Bh
                                                                                je 00007FDF88B6BFB1h
                                                                                cmp eax, 0000020Bh
                                                                                je 00007FDF88B6BF97h
                                                                                mov dword ptr [ebp-1Ch], esi
                                                                                jmp 00007FDF88B6BFB9h
                                                                                cmp dword ptr [ecx+00000084h], 0Eh
                                                                                jbe 00007FDF88B6BF84h
                                                                                xor eax, eax
                                                                                cmp dword ptr [ecx+000000F8h], esi
                                                                                jmp 00007FDF88B6BFA0h
                                                                                cmp dword ptr [ecx+74h], 0Eh
                                                                                jbe 00007FDF88B6BF74h
                                                                                xor eax, eax
                                                                                cmp dword ptr [ecx+000000E8h], esi
                                                                                setne al
                                                                                mov dword ptr [ebp-1Ch], eax

                                                                                Rich Headers

                                                                                Programming Language:
                                                                                • [RES] VS2003 (.NET) build 3077
                                                                                • [ASM] VS2003 (.NET) build 3077
                                                                                • [C++] VS2003 (.NET) build 3077
                                                                                • [ C ] VS2003 (.NET) build 3077
                                                                                • [LNK] VS2003 (.NET) build 3077

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x39bc00x104.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x420000x17ed8.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x37b000x48.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x340000x478.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x39b380x40.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x10000x326640x33000False0.329182942708data5.2999185965IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                .rdata0x340000x73c80x8000False0.318481445312data4.70606194355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .data0x3c0000x51d40x2000False0.29150390625data3.57086001659IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                .rsrc0x420000x17ed80x18000False0.79535929362data7.3193275368IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountry
                                                                                SPOOFER0x453a00x11124dataFrenchFrance
                                                                                RT_CURSOR0x56b900x134dataFrenchFrance
                                                                                RT_CURSOR0x56cc80xb4dataFrenchFrance
                                                                                RT_CURSOR0x56da80x134AmigaOS bitmap fontFrenchFrance
                                                                                RT_CURSOR0x56ef80x134dataFrenchFrance
                                                                                RT_CURSOR0x570480x134dataFrenchFrance
                                                                                RT_CURSOR0x571980x134dataFrenchFrance
                                                                                RT_CURSOR0x572e80x134dataFrenchFrance
                                                                                RT_CURSOR0x574380x134dataFrenchFrance
                                                                                RT_CURSOR0x575880x134dataFrenchFrance
                                                                                RT_CURSOR0x576d80x134dataFrenchFrance
                                                                                RT_CURSOR0x578280x134dataFrenchFrance
                                                                                RT_CURSOR0x579780x134dataFrenchFrance
                                                                                RT_CURSOR0x57ac80x134AmigaOS bitmap fontFrenchFrance
                                                                                RT_CURSOR0x57c180x134dataFrenchFrance
                                                                                RT_CURSOR0x57d680x134dataFrenchFrance
                                                                                RT_CURSOR0x57eb80x134dataFrenchFrance
                                                                                RT_BITMAP0x581000xb8dataFrenchFrance
                                                                                RT_BITMAP0x581b80x144dataFrenchFrance
                                                                                RT_ICON0x42c100x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4177497992, next used block 34936FrenchFrance
                                                                                RT_ICON0x42ef80x128GLS_BINARY_LSB_FIRSTFrenchFrance
                                                                                RT_ICON0x430200x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0FrenchFrance
                                                                                RT_ICON0x438c80x568GLS_BINARY_LSB_FIRSTFrenchFrance
                                                                                RT_ICON0x43e300x10a8dataFrenchFrance
                                                                                RT_ICON0x44ed80x468GLS_BINARY_LSB_FIRSTFrenchFrance
                                                                                RT_DIALOG0x564c80x12edataFrenchFrance
                                                                                RT_DIALOG0x565f80x26cdataFrenchFrance
                                                                                RT_DIALOG0x580080xf8dataFrenchFrance
                                                                                RT_STRING0x583000x58dataFrenchFrance
                                                                                RT_STRING0x583580xb2dataFrenchFrance
                                                                                RT_STRING0x584100x30dataFrenchFrance
                                                                                RT_STRING0x584400x1dedataFrenchFrance
                                                                                RT_STRING0x586200x630dataFrenchFrance
                                                                                RT_STRING0x590c80x346dataFrenchFrance
                                                                                RT_STRING0x58d400x388dataFrenchFrance
                                                                                RT_STRING0x59de00xa4dataFrenchFrance
                                                                                RT_STRING0x58c500xecdataFrenchFrance
                                                                                RT_STRING0x59c180x192dataFrenchFrance
                                                                                RT_STRING0x594100x576dataFrenchFrance
                                                                                RT_STRING0x599880x28cdataFrenchFrance
                                                                                RT_STRING0x59db00x2cdataFrenchFrance
                                                                                RT_STRING0x59e880x4cdataFrenchFrance
                                                                                RT_GROUP_CURSOR0x56d800x22Lotus unknown worksheet or configuration, revision 0x2FrenchFrance
                                                                                RT_GROUP_CURSOR0x575700x14Lotus unknown worksheet or configuration, revision 0x1FrenchFrance
                                                                                RT_GROUP_CURSOR0x56ee00x14Lotus unknown worksheet or configuration, revision 0x1FrenchFrance
                                                                                RT_GROUP_CURSOR0x574200x14Lotus unknown worksheet or configuration, revision 0x1FrenchFrance
                                                                                RT_GROUP_CURSOR0x572d00x14Lotus unknown worksheet or configuration, revision 0x1FrenchFrance
                                                                                RT_GROUP_CURSOR0x57c000x14Lotus unknown worksheet or configuration, revision 0x1FrenchFrance
                                                                                RT_GROUP_CURSOR0x571800x14Lotus unknown worksheet or configuration, revision 0x1FrenchFrance
                                                                                RT_GROUP_CURSOR0x578100x14Lotus unknown worksheet or configuration, revision 0x1FrenchFrance
                                                                                RT_GROUP_CURSOR0x570300x14Lotus unknown worksheet or configuration, revision 0x1FrenchFrance
                                                                                RT_GROUP_CURSOR0x576c00x14Lotus unknown worksheet or configuration, revision 0x1FrenchFrance
                                                                                RT_GROUP_CURSOR0x579600x14Lotus unknown worksheet or configuration, revision 0x1FrenchFrance
                                                                                RT_GROUP_CURSOR0x57ab00x14Lotus unknown worksheet or configuration, revision 0x1FrenchFrance
                                                                                RT_GROUP_CURSOR0x57d500x14Lotus unknown worksheet or configuration, revision 0x1FrenchFrance
                                                                                RT_GROUP_CURSOR0x57ea00x14Lotus unknown worksheet or configuration, revision 0x1FrenchFrance
                                                                                RT_GROUP_CURSOR0x57ff00x14Lotus unknown worksheet or configuration, revision 0x1FrenchFrance
                                                                                RT_GROUP_ICON0x453400x5adataFrenchFrance
                                                                                RT_VERSION0x568680x324dataFrenchFrance

                                                                                Imports

                                                                                DLLImport
                                                                                RPCRT4.dllUuidFromStringA
                                                                                QUARTZ.dllAMGetErrorTextA
                                                                                KERNEL32.dllHeapFree, VirtualProtect, VirtualAlloc, GetSystemInfo, VirtualQuery, GetStartupInfoA, GetCommandLineA, ExitProcess, HeapReAlloc, TerminateProcess, HeapSize, SetUnhandledExceptionFilter, HeapDestroy, HeapCreate, VirtualFree, IsBadWritePtr, GetStdHandle, UnhandledExceptionFilter, FreeEnvironmentStringsA, HeapAlloc, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetTimeZoneInformation, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, IsBadReadPtr, IsBadCodePtr, SetStdHandle, SetEnvironmentVariableA, RtlUnwind, GetOEMCP, GetCPInfo, GlobalFlags, WritePrivateProfileStringA, SetErrorMode, InterlockedIncrement, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, TlsGetValue, EnterCriticalSection, GlobalHandle, GlobalReAlloc, LeaveCriticalSection, LocalAlloc, InterlockedDecrement, GlobalGetAtomNameA, GlobalFindAtomA, lstrcatA, lstrcmpW, FreeResource, GlobalAddAtomA, GetCurrentThread, FreeLibrary, GlobalDeleteAtom, GetModuleHandleA, ConvertDefaultLocale, EnumResourceLanguagesA, FileTimeToLocalFileTime, FileTimeToSystemTime, LoadLibraryA, GetProcAddress, GetFullPathNameA, GetVolumeInformationA, FindFirstFileA, FindClose, lstrcpyA, GetCurrentProcess, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, DeleteFileA, GetModuleFileNameA, GetCurrentThreadId, CloseHandle, lstrcmpA, DeleteCriticalSection, InitializeCriticalSection, RaiseException, GlobalFree, MulDiv, GlobalAlloc, GlobalLock, GlobalUnlock, FormatMessageA, LocalFree, SetLastError, lstrcpynA, CompareStringW, CompareStringA, lstrlenA, lstrcmpiA, GetVersion, GetLastError, LoadLibraryW, MultiByteToWideChar, WideCharToMultiByte, FindResourceA, LoadResource, LockResource, SizeofResource, GetVersionExA, GetThreadLocale, GetLocaleInfoA, GetACP, InterlockedExchange, GetEnvironmentStrings
                                                                                USER32.dllLoadCursorA, GetSysColorBrush, EndPaint, BeginPaint, ReleaseDC, GetDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, DestroyMenu, RegisterWindowMessageA, WinHelpA, GetCapture, CreateWindowExA, GetClassLongA, GetClassInfoExA, GetClassNameA, SetPropA, GetPropA, RemovePropA, GetForegroundWindow, GetTopWindow, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, MapWindowPoints, SetForegroundWindow, UpdateWindow, GetMenu, GetSysColor, AdjustWindowRectEx, GetClassInfoA, RegisterClassA, DefWindowProcA, CallWindowProcA, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, CopyRect, PtInRect, GetWindow, GetDesktopWindow, SetActiveWindow, CreateDialogIndirectParamA, DestroyWindow, IsWindow, GetNextDlgTabItem, EndDialog, SetMenuItemBitmaps, ModifyMenuA, EnableMenuItem, SendMessageA, ShowWindow, DrawIcon, AppendMenuA, GetSystemMenu, IsIconic, GetClientRect, EnableWindow, LoadIconA, GetSystemMetrics, CharUpperA, CheckMenuItem, GetMenuCheckMarkDimensions, LoadBitmapA, SetCursor, PostQuitMessage, PostMessageA, wsprintfA, GetWindowTextLengthA, GetWindowTextA, GetFocus, SetWindowPos, SetFocus, SetWindowLongA, GetDlgCtrlID, SetWindowTextA, IsDialogMessageA, SendDlgItemMessageA, GetDlgItem, GetSubMenu, GetMenuItemCount, GetMenuItemID, GetMenuState, UnregisterClassA, ValidateRect, GetCursorPos, PeekMessageA, GetKeyState, IsWindowVisible, GetActiveWindow, DispatchMessageA, TranslateMessage, GetMessageA, CallNextHookEx, SetWindowsHookExA, MessageBoxA, GetParent, GetWindowLongA, GetLastActivePopup, IsWindowEnabled
                                                                                GDI32.dllGetStockObject, DeleteDC, ScaleWindowExtEx, SetWindowExtEx, RectVisible, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, Escape, CreateBitmap, GetDeviceCaps, PtVisible, DeleteObject, SetMapMode, RestoreDC, SaveDC, ExtTextOutA, GetObjectA, SetBkColor, SetTextColor, GetClipBox, TextOutA
                                                                                comdlg32.dllGetSaveFileNameA, GetOpenFileNameA
                                                                                WINSPOOL.DRVOpenPrinterA, DocumentPropertiesA, ClosePrinter
                                                                                ADVAPI32.dllRegCloseKey, RegOpenKeyA, RegQueryValueExA, RegOpenKeyExA, RegDeleteKeyA, RegEnumKeyA, RegQueryValueA, RegCreateKeyExA, RegSetValueExA, RegOpenKeyExW
                                                                                COMCTL32.dll
                                                                                SHLWAPI.dllPathIsUNCA, PathFindExtensionA, PathStripToRootA, PathFindFileNameA
                                                                                ole32.dllCoUninitialize, CoCreateInstance, CoTaskMemFree, CoInitialize
                                                                                OLEAUT32.dllSysAllocStringLen, VariantClear, VariantInit, VariantChangeType

                                                                                Version Infos

                                                                                DescriptionData
                                                                                LegalCopyrightCopyright (C) 2002
                                                                                InternalNameDShowEncoder
                                                                                FileVersion1, 0, 0, 76
                                                                                CompanyName
                                                                                LegalTrademarks
                                                                                ProductNameApplication DShowEncoder
                                                                                ProductVersion1, 0, 0, 76
                                                                                FileDescriptionApplication MFC DShowEncoder
                                                                                OriginalFilenameDShowEncoder.EXE
                                                                                Translation0x040c 0x04b0

                                                                                Possible Origin

                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                FrenchFrance

                                                                                Network Behavior

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Jul 18, 2021 17:49:06.211448908 CEST4972880192.168.2.3100.6.23.40
                                                                                Jul 18, 2021 17:49:09.225537062 CEST4972880192.168.2.3100.6.23.40
                                                                                Jul 18, 2021 17:49:15.334686041 CEST4972880192.168.2.3100.6.23.40
                                                                                Jul 18, 2021 17:49:31.049014091 CEST49736443192.168.2.3200.71.200.4
                                                                                Jul 18, 2021 17:49:34.087002993 CEST49736443192.168.2.3200.71.200.4
                                                                                Jul 18, 2021 17:49:40.087651968 CEST49736443192.168.2.3200.71.200.4
                                                                                Jul 18, 2021 17:49:56.279663086 CEST49742443192.168.2.3190.114.244.182
                                                                                Jul 18, 2021 17:49:59.280858994 CEST49742443192.168.2.3190.114.244.182
                                                                                Jul 18, 2021 17:50:05.292772055 CEST49742443192.168.2.3190.114.244.182
                                                                                Jul 18, 2021 17:50:22.675884962 CEST497448080192.168.2.391.250.96.22
                                                                                Jul 18, 2021 17:50:25.685225964 CEST497448080192.168.2.391.250.96.22
                                                                                Jul 18, 2021 17:50:31.685652018 CEST497448080192.168.2.391.250.96.22

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Jul 18, 2021 17:48:31.819063902 CEST5062053192.168.2.38.8.8.8
                                                                                Jul 18, 2021 17:48:31.870270967 CEST6493853192.168.2.38.8.8.8
                                                                                Jul 18, 2021 17:48:31.877871037 CEST53506208.8.8.8192.168.2.3
                                                                                Jul 18, 2021 17:48:31.939341068 CEST53649388.8.8.8192.168.2.3
                                                                                Jul 18, 2021 17:48:32.619977951 CEST6015253192.168.2.38.8.8.8
                                                                                Jul 18, 2021 17:48:32.673074961 CEST53601528.8.8.8192.168.2.3
                                                                                Jul 18, 2021 17:48:33.781243086 CEST5754453192.168.2.38.8.8.8
                                                                                Jul 18, 2021 17:48:33.839749098 CEST53575448.8.8.8192.168.2.3
                                                                                Jul 18, 2021 17:48:34.617095947 CEST5598453192.168.2.38.8.8.8
                                                                                Jul 18, 2021 17:48:34.678570032 CEST53559848.8.8.8192.168.2.3
                                                                                Jul 18, 2021 17:48:35.253833055 CEST6418553192.168.2.38.8.8.8
                                                                                Jul 18, 2021 17:48:35.304583073 CEST53641858.8.8.8192.168.2.3
                                                                                Jul 18, 2021 17:48:38.263636112 CEST6511053192.168.2.38.8.8.8
                                                                                Jul 18, 2021 17:48:38.315751076 CEST53651108.8.8.8192.168.2.3
                                                                                Jul 18, 2021 17:48:39.472676992 CEST5836153192.168.2.38.8.8.8
                                                                                Jul 18, 2021 17:48:39.526633978 CEST53583618.8.8.8192.168.2.3
                                                                                Jul 18, 2021 17:48:40.803797007 CEST6349253192.168.2.38.8.8.8
                                                                                Jul 18, 2021 17:48:40.853883982 CEST53634928.8.8.8192.168.2.3
                                                                                Jul 18, 2021 17:48:42.102297068 CEST6083153192.168.2.38.8.8.8
                                                                                Jul 18, 2021 17:48:42.154831886 CEST53608318.8.8.8192.168.2.3
                                                                                Jul 18, 2021 17:48:43.008485079 CEST6010053192.168.2.38.8.8.8
                                                                                Jul 18, 2021 17:48:43.066186905 CEST53601008.8.8.8192.168.2.3
                                                                                Jul 18, 2021 17:48:43.920795918 CEST5319553192.168.2.38.8.8.8
                                                                                Jul 18, 2021 17:48:43.983330965 CEST53531958.8.8.8192.168.2.3
                                                                                Jul 18, 2021 17:48:45.017159939 CEST5014153192.168.2.38.8.8.8
                                                                                Jul 18, 2021 17:48:45.076989889 CEST53501418.8.8.8192.168.2.3
                                                                                Jul 18, 2021 17:48:45.959724903 CEST5302353192.168.2.38.8.8.8
                                                                                Jul 18, 2021 17:48:46.012303114 CEST53530238.8.8.8192.168.2.3
                                                                                Jul 18, 2021 17:48:46.867134094 CEST4956353192.168.2.38.8.8.8
                                                                                Jul 18, 2021 17:48:46.919660091 CEST53495638.8.8.8192.168.2.3
                                                                                Jul 18, 2021 17:48:47.992963076 CEST5135253192.168.2.38.8.8.8
                                                                                Jul 18, 2021 17:48:48.045468092 CEST53513528.8.8.8192.168.2.3
                                                                                Jul 18, 2021 17:48:49.279186964 CEST5934953192.168.2.38.8.8.8
                                                                                Jul 18, 2021 17:48:49.330163002 CEST53593498.8.8.8192.168.2.3
                                                                                Jul 18, 2021 17:48:50.412117958 CEST5708453192.168.2.38.8.8.8
                                                                                Jul 18, 2021 17:48:50.469324112 CEST53570848.8.8.8192.168.2.3
                                                                                Jul 18, 2021 17:48:51.352755070 CEST5882353192.168.2.38.8.8.8
                                                                                Jul 18, 2021 17:48:51.409991026 CEST53588238.8.8.8192.168.2.3
                                                                                Jul 18, 2021 17:48:52.595619917 CEST5756853192.168.2.38.8.8.8
                                                                                Jul 18, 2021 17:48:52.651276112 CEST53575688.8.8.8192.168.2.3
                                                                                Jul 18, 2021 17:48:53.780514002 CEST5054053192.168.2.38.8.8.8
                                                                                Jul 18, 2021 17:48:53.836155891 CEST53505408.8.8.8192.168.2.3
                                                                                Jul 18, 2021 17:49:08.175255060 CEST5436653192.168.2.38.8.8.8
                                                                                Jul 18, 2021 17:49:08.236278057 CEST53543668.8.8.8192.168.2.3
                                                                                Jul 18, 2021 17:49:09.040218115 CEST5303453192.168.2.38.8.8.8
                                                                                Jul 18, 2021 17:49:09.116758108 CEST53530348.8.8.8192.168.2.3
                                                                                Jul 18, 2021 17:49:27.105725050 CEST5776253192.168.2.38.8.8.8
                                                                                Jul 18, 2021 17:49:27.167880058 CEST53577628.8.8.8192.168.2.3
                                                                                Jul 18, 2021 17:49:27.551769972 CEST5543553192.168.2.38.8.8.8
                                                                                Jul 18, 2021 17:49:27.610093117 CEST53554358.8.8.8192.168.2.3
                                                                                Jul 18, 2021 17:49:28.827493906 CEST5071353192.168.2.38.8.8.8
                                                                                Jul 18, 2021 17:49:28.890382051 CEST53507138.8.8.8192.168.2.3
                                                                                Jul 18, 2021 17:49:35.158162117 CEST5613253192.168.2.38.8.8.8
                                                                                Jul 18, 2021 17:49:35.220212936 CEST53561328.8.8.8192.168.2.3
                                                                                Jul 18, 2021 17:50:13.659279108 CEST5898753192.168.2.38.8.8.8
                                                                                Jul 18, 2021 17:50:13.725774050 CEST53589878.8.8.8192.168.2.3

                                                                                Code Manipulations

                                                                                Statistics

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                Analysis Process: methodsnetsh.exe PID: 6032 Parent PID: 5632

                                                                                General

                                                                                Start time:17:48:38
                                                                                Start date:18/07/2021
                                                                                Path:C:\Users\user\Desktop\methodsnetsh.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Users\user\Desktop\methodsnetsh.exe'
                                                                                Imagebase:0x400000
                                                                                File size:352278 bytes
                                                                                MD5 hash:8E22080FE62E462723D231FE5C8BA98A
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.204962255.0000000000620000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Emotet, Description: Emotet Payload, Source: 00000000.00000002.204962255.0000000000620000.00000040.00000001.sdmp, Author: kevoreilly
                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.204989867.00000000007D1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Emotet, Description: Emotet Payload, Source: 00000000.00000002.204989867.00000000007D1000.00000020.00000001.sdmp, Author: kevoreilly
                                                                                Reputation:low

                                                                                Analysis Process: methodsnetsh.exe PID: 5456 Parent PID: 6032

                                                                                General

                                                                                Start time:17:48:39
                                                                                Start date:18/07/2021
                                                                                Path:C:\Users\user\Desktop\methodsnetsh.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:--4a9ea48a
                                                                                Imagebase:0x400000
                                                                                File size:352278 bytes
                                                                                MD5 hash:8E22080FE62E462723D231FE5C8BA98A
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.224911448.00000000006F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Emotet, Description: Emotet Payload, Source: 00000001.00000002.224911448.00000000006F0000.00000040.00000001.sdmp, Author: kevoreilly
                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.225065332.00000000009D1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Emotet, Description: Emotet Payload, Source: 00000001.00000002.225065332.00000000009D1000.00000020.00000001.sdmp, Author: kevoreilly
                                                                                Reputation:low

                                                                                Analysis Process: svchost.exe PID: 3412 Parent PID: 568

                                                                                General

                                                                                Start time:17:48:46
                                                                                Start date:18/07/2021
                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                Imagebase:0x7ff7488e0000
                                                                                File size:51288 bytes
                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: sensorias.exe PID: 5564 Parent PID: 568

                                                                                General

                                                                                Start time:17:48:47
                                                                                Start date:18/07/2021
                                                                                Path:C:\Windows\SysWOW64\sensorias.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Windows\SysWOW64\sensorias.exe
                                                                                Imagebase:0x400000
                                                                                File size:352278 bytes
                                                                                MD5 hash:8E22080FE62E462723D231FE5C8BA98A
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000006.00000002.224058115.0000000000AB0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Emotet, Description: Emotet Payload, Source: 00000006.00000002.224058115.0000000000AB0000.00000040.00000001.sdmp, Author: kevoreilly
                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000006.00000002.224082773.0000000000F61000.00000020.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Emotet, Description: Emotet Payload, Source: 00000006.00000002.224082773.0000000000F61000.00000020.00000001.sdmp, Author: kevoreilly
                                                                                Reputation:low

                                                                                Analysis Process: sensorias.exe PID: 6036 Parent PID: 5564

                                                                                General

                                                                                Start time:17:48:48
                                                                                Start date:18/07/2021
                                                                                Path:C:\Windows\SysWOW64\sensorias.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:--606904f7
                                                                                Imagebase:0x400000
                                                                                File size:352278 bytes
                                                                                MD5 hash:8E22080FE62E462723D231FE5C8BA98A
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.469150686.0000000000EC1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Emotet, Description: Emotet Payload, Source: 00000007.00000002.469150686.0000000000EC1000.00000020.00000001.sdmp, Author: kevoreilly
                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.469102796.0000000000EA0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Emotet, Description: Emotet Payload, Source: 00000007.00000002.469102796.0000000000EA0000.00000040.00000001.sdmp, Author: kevoreilly
                                                                                Reputation:low

                                                                                Analysis Process: svchost.exe PID: 6072 Parent PID: 568

                                                                                General

                                                                                Start time:17:49:04
                                                                                Start date:18/07/2021
                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                Imagebase:0x7ff7488e0000
                                                                                File size:51288 bytes
                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: svchost.exe PID: 5868 Parent PID: 568

                                                                                General

                                                                                Start time:17:49:08
                                                                                Start date:18/07/2021
                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                Imagebase:0x7ff7488e0000
                                                                                File size:51288 bytes
                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: svchost.exe PID: 5948 Parent PID: 568

                                                                                General

                                                                                Start time:17:49:15
                                                                                Start date:18/07/2021
                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                Imagebase:0x7ff7488e0000
                                                                                File size:51288 bytes
                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: svchost.exe PID: 5576 Parent PID: 568

                                                                                General

                                                                                Start time:17:49:16
                                                                                Start date:18/07/2021
                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                Imagebase:0x7ff7488e0000
                                                                                File size:51288 bytes
                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: svchost.exe PID: 2168 Parent PID: 568

                                                                                General

                                                                                Start time:17:49:17
                                                                                Start date:18/07/2021
                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                Imagebase:0x7ff7488e0000
                                                                                File size:51288 bytes
                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: SgrmBroker.exe PID: 4168 Parent PID: 568

                                                                                General

                                                                                Start time:17:49:17
                                                                                Start date:18/07/2021
                                                                                Path:C:\Windows\System32\SgrmBroker.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                Imagebase:0x7ff675c40000
                                                                                File size:163336 bytes
                                                                                MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: svchost.exe PID: 6096 Parent PID: 568

                                                                                General

                                                                                Start time:17:49:18
                                                                                Start date:18/07/2021
                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                Imagebase:0x7ff7488e0000
                                                                                File size:51288 bytes
                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: svchost.exe PID: 496 Parent PID: 568

                                                                                General

                                                                                Start time:17:49:18
                                                                                Start date:18/07/2021
                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                Imagebase:0x7ff7488e0000
                                                                                File size:51288 bytes
                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: MpCmdRun.exe PID: 4880 Parent PID: 6096

                                                                                General

                                                                                Start time:17:50:18
                                                                                Start date:18/07/2021
                                                                                Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                                                                                Imagebase:0x7ff653940000
                                                                                File size:455656 bytes
                                                                                MD5 hash:A267555174BFA53844371226F482B86B
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: conhost.exe PID: 3596 Parent PID: 4880

                                                                                General

                                                                                Start time:17:50:19
                                                                                Start date:18/07/2021
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff6b2800000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Disassembly

                                                                                Code Analysis

                                                                                Reset < >