Loading ...

Play interactive tourEdit tour

Windows Analysis Report 8U5snojV8p

Overview

General Information

Sample Name:8U5snojV8p (renamed file extension from none to exe)
Analysis ID:481919
MD5:0df4aaffd21acf21ff44429ca485fab8
SHA1:6915e92d42c5588b8fb254b6e7f69fcefc8d5c82
SHA256:3147bee916b63c96acc5fb06cac93846d13bb44804931f390f66348abf603941
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Yara detected Emotet
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Drops executables to the windows directory (C:\Windows) and starts them
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Contains functionality to retrieve information about pressed keystrokes
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • 8U5snojV8p.exe (PID: 6372 cmdline: 'C:\Users\user\Desktop\8U5snojV8p.exe' MD5: 0DF4AAFFD21ACF21FF44429CA485FAB8)
  • svchost.exe (PID: 6592 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6780 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6860 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6956 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7028 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 7076 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 5368 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 1256 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 2076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 844 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6740 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6448 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["94.49.254.194:80", "212.51.142.238:8080", "91.231.166.124:8080", "162.241.92.219:8080", "79.98.24.39:8080", "109.117.53.230:443", "121.124.124.40:7080", "101.187.97.173:80", "168.235.67.138:7080", "104.131.44.150:8080", "5.39.91.110:7080", "139.59.60.244:8080", "81.2.235.111:8080", "116.203.32.252:8080", "61.19.246.238:443", "176.111.60.55:8080", "190.55.181.54:443", "108.48.41.69:80", "203.153.216.189:7080", "103.86.49.11:8080", "104.236.246.93:8080", "75.139.38.211:80", "169.239.182.217:8080", "62.75.141.82:80", "93.156.165.186:80", "73.11.153.178:8080", "157.245.99.39:8080", "41.60.200.34:80", "50.116.86.205:8080", "31.31.77.83:443", "209.182.216.177:443", "62.138.26.28:8080", "95.213.236.64:8080", "95.179.229.244:8080", "209.141.54.221:8080", "91.211.88.52:7080", "37.187.72.193:8080", "137.59.187.107:8080", "139.130.242.43:80", "46.105.131.87:80", "87.106.139.101:8080", "200.55.243.138:8080", "5.196.74.210:8080", "79.7.158.208:80", "185.94.252.104:443", "104.131.11.150:443", "37.139.21.175:8080", "190.108.228.62:443", "24.1.189.87:8080", "91.205.215.66:443", "186.208.123.210:443", "108.26.231.214:80", "201.173.217.124:443", "110.145.77.103:80", "190.160.53.126:80", "162.154.38.103:80", "78.24.219.147:8080", "210.165.156.91:80", "109.74.5.95:8080", "95.9.185.228:443", "93.51.50.171:8080", "200.41.121.90:80", "46.105.131.79:8080", "124.45.106.173:443", "74.208.45.104:8080", "153.126.210.205:7080", "87.106.136.232:8080"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.296805928.0000000000C21000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000000.00000002.296561787.0000000000670000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      0000000A.00000002.511924593.0000000000781000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        0000000A.00000002.511863811.0000000000770000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.8U5snojV8p.exe.67053f.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
            0.2.8U5snojV8p.exe.67053f.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              10.2.Windows.System.Profile.RetailInfo.exe.77053f.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                10.2.Windows.System.Profile.RetailInfo.exe.77053f.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Jbx Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 0.2.8U5snojV8p.exe.67053f.1.unpackMalware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["94.49.254.194:80", "212.51.142.238:8080", "91.231.166.124:8080", "162.241.92.219:8080", "79.98.24.39:8080", "109.117.53.230:443", "121.124.124.40:7080", "101.187.97.173:80", "168.235.67.138:7080", "104.131.44.150:8080", "5.39.91.110:7080", "139.59.60.244:8080", "81.2.235.111:8080", "116.203.32.252:8080", "61.19.246.238:443", "176.111.60.55:8080", "190.55.181.54:443", "108.48.41.69:80", "203.153.216.189:7080", "103.86.49.11:8080", "104.236.246.93:8080", "75.139.38.211:80", "169.239.182.217:8080", "62.75.141.82:80", "93.156.165.186:80", "73.11.153.178:8080", "157.245.99.39:8080", "41.60.200.34:80", "50.116.86.205:8080", "31.31.77.83:443", "209.182.216.177:443", "62.138.26.28:8080", "95.213.236.64:8080", "95.179.229.244:8080", "209.141.54.221:8080", "91.211.88.52:7080", "37.187.72.193:8080", "137.59.187.107:8080", "139.130.242.43:80", "46.105.131.87:80", "87.106.139.101:8080", "200.55.243.138:8080", "5.196.74.210:8080", "79.7.158.208:80", "185.94.252.104:443", "104.131.11.150:443", "37.139.21.175:8080", "190.108.228.62:443", "24.1.189.87:8080", "91.205.215.66:443", "186.208.123.210:443", "108.26.231.214:80", "201.173.217.124:443", "110.145.77.103:80", "190.160.53.126:80", "162.154.38.103:80", "78.24.219.147:8080", "210.165.156.91:80", "109.74.5.95:8080", "95.9.185.228:443", "93.51.50.171:8080", "200.41.121.90:80", "46.105.131.79:8080", "124.45.106.173:443", "74.208.45.104:8080", "153.126.210.205:7080", "87.106.136.232:8080"]}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: 8U5snojV8p.exeMetadefender: Detection: 60%Perma Link
                  Source: 8U5snojV8p.exeReversingLabs: Detection: 77%
                  Antivirus / Scanner detection for submitted sampleShow sources
                  Source: 8U5snojV8p.exeAvira: detected
                  Antivirus detection for URL or domainShow sources
                  Source: http://212.51.142.238:8080/8eo0xZCOyvK/VXdfxUvyon7i/RAvira URL Cloud: Label: malware
                  Source: http://212.51.142.238:8080/8eo0xZCOyvK/VXdfxUvyon7i/Avira URL Cloud: Label: malware
                  Source: http://212.51.142.238:8080/8eo0xZCOyvK/VXdfxUvyon7i/0Avira URL Cloud: Label: malware
                  Source: 0.0.8U5snojV8p.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen2
                  Source: 0.2.8U5snojV8p.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen2
                  Source: 10.2.Windows.System.Profile.RetailInfo.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen2
                  Source: 10.0.Windows.System.Profile.RetailInfo.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen2
                  Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exeCode function: 10_2_00781D73 CryptDecodeObjectEx,10_2_00781D73
                  Source: 8U5snojV8p.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                  Source: Binary string: C:\Users\User\Desktop\VC 6.0\21.7.20\chatwithusdi_src\Chat Client\Release\Chat Client.pdb source: 8U5snojV8p.exe
                  Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exeCode function: 10_2_007828A3 FindFirstFileW,FindNextFileW,FindClose,10_2_007828A3

                  Networking:

                  barindex
                  C2 URLs / IPs found in malware configurationShow sources
                  Source: Malware configuration extractorIPs: 94.49.254.194:80
                  Source: Malware configuration extractorIPs: 212.51.142.238:8080
                  Source: Malware configuration extractorIPs: 91.231.166.124:8080
                  Source: Malware configuration extractorIPs: 162.241.92.219:8080
                  Source: Malware configuration extractorIPs: 79.98.24.39:8080
                  Source: Malware configuration extractorIPs: 109.117.53.230:443
                  Source: Malware configuration extractorIPs: 121.124.124.40:7080
                  Source: Malware configuration extractorIPs: 101.187.97.173:80
                  Source: Malware configuration extractorIPs: 168.235.67.138:7080
                  Source: Malware configuration extractorIPs: 104.131.44.150:8080
                  Source: Malware configuration extractorIPs: 5.39.91.110:7080
                  Source: Malware configuration extractorIPs: 139.59.60.244:8080
                  Source: Malware configuration extractorIPs: 81.2.235.111:8080
                  Source: Malware configuration extractorIPs: 116.203.32.252:8080
                  Source: Malware configuration extractorIPs: 61.19.246.238:443
                  Source: Malware configuration extractorIPs: 176.111.60.55:8080
                  Source: Malware configuration extractorIPs: 190.55.181.54:443
                  Source: Malware configuration extractorIPs: 108.48.41.69:80
                  Source: Malware configuration extractorIPs: 203.153.216.189:7080
                  Source: Malware configuration extractorIPs: 103.86.49.11:8080
                  Source: Malware configuration extractorIPs: 104.236.246.93:8080
                  Source: Malware configuration extractorIPs: 75.139.38.211:80
                  Source: Malware configuration extractorIPs: 169.239.182.217:8080
                  Source: Malware configuration extractorIPs: 62.75.141.82:80
                  Source: Malware configuration extractorIPs: 93.156.165.186:80
                  Source: Malware configuration extractorIPs: 73.11.153.178:8080
                  Source: Malware configuration extractorIPs: 157.245.99.39:8080
                  Source: Malware configuration extractorIPs: 41.60.200.34:80
                  Source: Malware configuration extractorIPs: 50.116.86.205:8080
                  Source: Malware configuration extractorIPs: 31.31.77.83:443
                  Source: Malware configuration extractorIPs: 209.182.216.177:443
                  Source: Malware configuration extractorIPs: 62.138.26.28:8080
                  Source: Malware configuration extractorIPs: 95.213.236.64:8080
                  Source: Malware configuration extractorIPs: 95.179.229.244:8080
                  Source: Malware configuration extractorIPs: 209.141.54.221:8080
                  Source: Malware configuration extractorIPs: 91.211.88.52:7080
                  Source: Malware configuration extractorIPs: 37.187.72.193:8080
                  Source: Malware configuration extractorIPs: 137.59.187.107:8080
                  Source: Malware configuration extractorIPs: 139.130.242.43:80
                  Source: Malware configuration extractorIPs: 46.105.131.87:80
                  Source: Malware configuration extractorIPs: 87.106.139.101:8080
                  Source: Malware configuration extractorIPs: 200.55.243.138:8080
                  Source: Malware configuration extractorIPs: 5.196.74.210:8080
                  Source: Malware configuration extractorIPs: 79.7.158.208:80
                  Source: Malware configuration extractorIPs: 185.94.252.104:443
                  Source: Malware configuration extractorIPs: 104.131.11.150:443
                  Source: Malware configuration extractorIPs: 37.139.21.175:8080
                  Source: Malware configuration extractorIPs: 190.108.228.62:443
                  Source: Malware configuration extractorIPs: 24.1.189.87:8080
                  Source: Malware configuration extractorIPs: 91.205.215.66:443
                  Source: Malware configuration extractorIPs: 186.208.123.210:443
                  Source: Malware configuration extractorIPs: 108.26.231.214:80
                  Source: Malware configuration extractorIPs: 201.173.217.124:443
                  Source: Malware configuration extractorIPs: 110.145.77.103:80
                  Source: Malware configuration extractorIPs: 190.160.53.126:80
                  Source: Malware configuration extractorIPs: 162.154.38.103:80
                  Source: Malware configuration extractorIPs: 78.24.219.147:8080
                  Source: Malware configuration extractorIPs: 210.165.156.91:80
                  Source: Malware configuration extractorIPs: 109.74.5.95:8080
                  Source: Malware configuration extractorIPs: 95.9.185.228:443
                  Source: Malware configuration extractorIPs: 93.51.50.171:8080
                  Source: Malware configuration extractorIPs: 200.41.121.90:80
                  Source: Malware configuration extractorIPs: 46.105.131.79:8080
                  Source: Malware configuration extractorIPs: 124.45.106.173:443
                  Source: Malware configuration extractorIPs: 74.208.45.104:8080
                  Source: Malware configuration extractorIPs: 153.126.210.205:7080
                  Source: Malware configuration extractorIPs: 87.106.136.232:8080
                  Source: global trafficTCP traffic: 192.168.2.5:49748 -> 94.49.254.194:80
                  Source: Joe Sandbox ViewASN Name: LIQUID-ASGB LIQUID-ASGB
                  Source: Joe Sandbox ViewASN Name: ASN-IBSNAZIT ASN-IBSNAZIT
                  Source: Joe Sandbox ViewIP Address: 109.117.53.230 109.117.53.230
                  Source: global trafficHTTP traffic detected: POST /YfyuG6sm3RqTIqU9gu/RiTaftnIbMGtd/UGb4JhQL57NsD/ HTTP/1.1Referer: http://162.241.92.219/YfyuG6sm3RqTIqU9gu/RiTaftnIbMGtd/UGb4JhQL57NsD/Content-Type: multipart/form-data; boundary=---------------------------978213554566447User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 162.241.92.219:8080Content-Length: 4548Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficTCP traffic: 192.168.2.5:49760 -> 212.51.142.238:8080
                  Source: global trafficTCP traffic: 192.168.2.5:49793 -> 91.231.166.124:8080
                  Source: global trafficTCP traffic: 192.168.2.5:49794 -> 162.241.92.219:8080
                  Source: global trafficTCP traffic: 192.168.2.5:49795 -> 79.98.24.39:8080
                  Source: unknownNetwork traffic detected: IP country count 28
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.49.254.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.49.254.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.49.254.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 212.51.142.238
                  Source: unknownTCP traffic detected without corresponding DNS query: 212.51.142.238
                  Source: unknownTCP traffic detected without corresponding DNS query: 212.51.142.238
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.231.166.124
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.231.166.124
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.231.166.124
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.241.92.219
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.241.92.219
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.241.92.219
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.241.92.219
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.241.92.219
                  Source: unknownTCP traffic detected without corresponding DNS query: 79.98.24.39
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.241.92.219
                  Source: unknownTCP traffic detected without corresponding DNS query: 79.98.24.39
                  Source: unknownTCP traffic detected without corresponding DNS query: 79.98.24.39
                  Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513892428.0000000002672000.00000004.00000001.sdmpString found in binary or memory: http://162.241.92.219:080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/
                  Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513892428.0000000002672000.00000004.00000001.sdmpString found in binary or memory: http://162.241.92.219:8080/YfyuG6sm3RqTIqU9gu/RiTaftnIbMGtd/UGb4JhQL57NsD/
                  Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513892428.0000000002672000.00000004.00000001.sdmpString found in binary or memory: http://162.241.92.219:8080/YfyuG6sm3RqTIqU9gu/RiTaftnIbMGtd/UGb4JhQL57NsD/J=c
                  Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmpString found in binary or memory: http://212.51.142.238:8080/8eo0xZCOyvK/VXdfxUvyon7i/
                  Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000003.483856235.0000000002692000.00000004.00000001.sdmpString found in binary or memory: http://212.51.142.238:8080/8eo0xZCOyvK/VXdfxUvyon7i/0
                  Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmpString found in binary or memory: http://212.51.142.238:8080/8eo0xZCOyvK/VXdfxUvyon7i/R
                  Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513892428.0000000002672000.00000004.00000001.sdmp, Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmp, Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.511264828.000000000018D000.00000004.00000001.sdmpString found in binary or memory: http://79.98.24.39/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/
                  Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmpString found in binary or memory: http://79.98.24.39:8080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/
                  Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmpString found in binary or memory: http://79.98.24.39:8080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/#
                  Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmpString found in binary or memory: http://79.98.24.39:8080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/0
                  Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.512060995.000000000079A000.00000004.00000020.sdmpString found in binary or memory: http://79.98.24.39:8080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/04u%04u%04u%03u
                  Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmpString found in binary or memory: http://79.98.24.39:8080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/E
                  Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513847532.00000000025F4000.00000004.00000001.sdmpString found in binary or memory: http://79.98.24.39:8080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/x
                  Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.512060995.000000000079A000.00000004.00000020.sdmpString found in binary or memory: http://91.231.166.124/pvpiKpofI5CEEveCsq/
                  Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513892428.0000000002672000.00000004.00000001.sdmp, Windows.System.Profile.RetailInfo.exe, 0000000A.00000003.483856235.0000000002692000.00000004.00000001.sdmpString found in binary or memory: http://91.231.166.124:8080/pvpiKpofI5CEEveCsq/
                  Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513892428.0000000002672000.00000004.00000001.sdmpString found in binary or memory: http://91.231.166.124:8080/pvpiKpofI5CEEveCsq/G
                  Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513892428.0000000002672000.00000004.00000001.sdmpString found in binary or memory: http://91.231.166.124:8080/pvpiKpofI5CEEveCsq/H
                  Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmpString found in binary or memory: http://94.49.254.194
                  Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000003.421590586.0000000002690000.00000004.00000001.sdmp, Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.512060995.000000000079A000.00000004.00000020.sdmpString found in binary or memory: http://94.49.254.194/vHzRXBVyW/b13Sx2TCD/
                  Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmpString found in binary or memory: http://94.49.254.194/vHzRXBVyW/b13Sx2TCD/n
                  Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000003.421622177.0000000002692000.00000004.00000001.sdmpString found in binary or memory: http://94.49.254.194/vHzRXBVyW/bm
                  Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmpString found in binary or memory: http://94.49.254.194d
                  Source: svchost.exe, 00000004.00000002.513741731.00000196D6C99000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: svchost.exe, 00000004.00000002.513741731.00000196D6C99000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                  Source: svchost.exe, 00000004.00000002.512164511.00000196D16B2000.00000004.00000001.sdmpString found in binary or memory: http://schemas.m
                  Source: svchost.exe, 00000004.00000002.512164511.00000196D16B2000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.
                  Source: svchost.exe, 00000004.00000002.512164511.00000196D16B2000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration/E
                  Source: svchost.exe, 00000008.00000002.321969283.0000018424813000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                  Source: svchost.exe, 00000006.00000002.512143307.0000017925843000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                  Source: svchost.exe, 00000006.00000002.512143307.0000017925843000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                  Source: svchost.exe, 00000006.00000002.512143307.0000017925843000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                  Source: svchost.exe, 00000006.00000002.512143307.0000017925843000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.comds
                  Source: svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                  Source: svchost.exe, 00000006.00000002.512143307.0000017925843000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                  Source: svchost.exe, 00000006.00000002.512143307.0000017925843000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                  Source: svchost.exe, 00000008.00000003.313529689.000001842485D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                  Source: svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                  Source: svchost.exe, 00000008.00000002.322101318.000001842483D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                  Source: svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                  Source: svchost.exe, 00000008.00000003.313490070.0000018424848000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                  Source: svchost.exe, 00000008.00000002.322101318.000001842483D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                  Source: svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                  Source: svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                  Source: svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                  Source: svchost.exe, 00000008.00000003.313596408.0000018424841000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                  Source: svchost.exe, 00000008.00000003.313596408.0000018424841000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                  Source: svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                  Source: svchost.exe, 00000008.00000002.322194399.000001842485A000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                  Source: svchost.exe, 00000008.00000003.313529689.000001842485D000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                  Source: svchost.exe, 00000008.00000002.322194399.000001842485A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                  Source: svchost.exe, 00000008.00000002.322194399.000001842485A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                  Source: svchost.exe, 00000008.00000003.313210088.0000018424863000.00000004.00000001.sdmp, svchost.exe, 00000008.00000003.313529689.000001842485D000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                  Source: svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                  Source: svchost.exe, 00000008.00000002.322101318.000001842483D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                  Source: svchost.exe, 00000008.00000003.291200341.0000018424832000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                  Source: svchost.exe, 00000008.00000002.322101318.000001842483D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                  Source: svchost.exe, 00000008.00000002.322101318.000001842483D000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.321969283.0000018424813000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                  Source: svchost.exe, 00000008.00000003.313565303.0000018424840000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                  Source: svchost.exe, 00000008.00000003.313565303.0000018424840000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                  Source: svchost.exe, 00000008.00000003.291200341.0000018424832000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                  Source: svchost.exe, 00000008.00000002.322075880.000001842483B000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                  Source: svchost.exe, 00000008.00000003.313490070.0000018424848000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                  Source: unknownHTTP traffic detected: POST /YfyuG6sm3RqTIqU9gu/RiTaftnIbMGtd/UGb4JhQL57NsD/ HTTP/1.1Referer: http://162.241.92.219/YfyuG6sm3RqTIqU9gu/RiTaftnIbMGtd/UGb4JhQL57NsD/Content-Type: multipart/form-data; boundary=---------------------------978213554566447User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 162.241.92.219:8080Content-Length: 4548Connection: Keep-AliveCache-Control: no-cache
                  Source: 8U5snojV8p.exe, 00000000.00000002.296595279.000000000079A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                  Source: C:\Users\user\Desktop\8U5snojV8p.exeCode function: 0_2_004240C6 GetAsyncKeyState,GetAsyncKeyState,#2864,#4083,#4083,GetParent,#2864,#4083,GetAsyncKeyState,0_2_004240C6

                  E-Banking Fraud:

                  barindex
                  Yara detected EmotetShow sources
                  Source: Yara matchFile source: 0.2.8U5snojV8p.exe.67053f.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8U5snojV8p.exe.67053f.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.Windows.System.Profile.RetailInfo.exe.77053f.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.Windows.System.Profile.RetailInfo.exe.77053f.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.296805928.0000000000C21000.00000020.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.296561787.0000000000670000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.511924593.0000000000781000.00000020.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.511863811.0000000000770000.00000040.00000001.sdmp, type: MEMORY
                  Source: 8U5snojV8p.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                  Source: C:\Users\user\Desktop\8U5snojV8p.exeFile deleted: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe:Zone.IdentifierJump to behavior
                  Source: C:\Users\user\Desktop\8U5snojV8p.exeFile created: C:\Windows\SysWOW64\dbgeng\Jump to behavior
                  Source: C:\Users\user\Desktop\8U5snojV8p.exeCode function: 0_2_004013700_2_00401370
                  Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exeCode function: 10_2_0040137010_2_00401370
                  Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exeCode function: String function: 004269E6 appears 230 times
                  Source: C:\Users\user\Desktop\8U5snojV8p.exeCode function: String function: 004269E6 appears 230 times
                  Source: 8U5snojV8p.exe, 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameChat Client.EXE vs 8U5snojV8p.exe
                  Source: 8U5snojV8p.exeBinary or memory string: OriginalFilenameChat Client.EXE vs 8U5snojV8p.exe
                  Source: 8U5snojV8p.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                  Source: 8U5snojV8p.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: 8U5snojV8p.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: 8U5snojV8p.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: 8U5snojV8p.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: 8U5snojV8p.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
                  Source: 8U5snojV8p.exeMetadefender: Detection: 60%
                  Source: 8U5snojV8p.exeReversingLabs: Detection: 77%
                  Source: 8U5snojV8p.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\8U5snojV8p.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\8U5snojV8p.exe 'C:\Users\user\Desktop\8U5snojV8p.exe'
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                  Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                  Source: C:\Users\user\Desktop\8U5snojV8p.exeProcess created: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\8U5snojV8p.exeProcess created: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exeJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
                  Source: C:\Users\user\Desktop\8U5snojV8p.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                  Source: classification engineClassification label: mal96.troj.evad.winEXE@16/5@0/69
                  Source: C:\Users\user\Desktop\8U5snojV8p.exeCode function: 0_2_0041F987 CoCreateInstance,0_2_0041F987
                  Source: C:\Users\user\Desktop\8U5snojV8p.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exeCode function: 10_2_00783501 CreateToolhelp32Snapshot,Process32FirstW,FindCloseChangeNotification,10_2_00783501
                  Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2076:120:WilError_01
                  Source: C:\Users\user\Desktop\8U5snojV8p.exeCode function: 0_2_00420930 _EH_prolog,#1168,FindResourceA,LoadResource,SizeofResource,LockResource,ExtCreateRegion,#1641,#2452,SetWindowRgn,#2414,0_2_00420930
                  Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: 8U5snojV8p.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: C:\Users\User\Desktop\VC 6.0\21.7.20\chatwithusdi_src\Chat Client\Release\Chat Client.pdb source: 8U5snojV8p.exe
                  Source: C:\Users\user\Desktop\8U5snojV8p.exeCode function: 0_2_004269B0 push eax; ret 0_2_004269DE
                  Source: C:\Users\user\Desktop\8U5snojV8p.exeCode function: 0_2_0067834C push esi; iretd 0_2_00678354
                  Source: C:\Users\user\Desktop\8U5snojV8p.exeCode function: 0_2_0067862D push eax; ret 0_2_00678649
                  Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exeCode function: 10_2_004269B0 push eax; ret 10_2_004269DE
                  Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exeCode function: 10_2_0077834C push esi; iretd 10_2_00778354
                  Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exeCode function: 10_2_0077862D push eax; ret 10_2_00778649
                  Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exeCode function: 10_2_00777E3C push eax; ret 10_2_00777E69

                  Persistence and Installation Behavior:

                  barindex
                  Drops executables to the windows directory (C:\Windows) and starts themShow sources
                  Source: C:\Users\user\Desktop\8U5snojV8p.exeExecutable created and started: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exeJump to behavior
                  Source: C:\Users\user\Desktop\8U5snojV8p.exePE file moved: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exeJump to behavior

                  Hooking and other Techniques for Hiding and Protection:

                  barindex
                  Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                  Source: C:\Users\user\Desktop\8U5snojV8p.exeFile opened: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\Desktop\8U5snojV8p.exeCode function: 0_2_004012F3 _EH_prolog,OpenFileMappingA,#800,MapViewOfFile,#521,#567,#1651,GetLastActivePopup,#2864,IsIconic,#6215,SetForegroundWindow,#2463,#818,UnmapViewOfFile,CloseHandle,#6307,CloseHandle,0_2_004012F3
                  Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exeCode function: 10_2_004012F3 _EH_prolog,OpenFileMappingA,#800,MapViewOfFile,#521,#567,#1651,GetLastActivePopup,#2864,IsIconic,#6215,SetForegroundWindow,#2463,#818,UnmapViewOfFile,CloseHandle,#6307,CloseHandle,10_2_004012F3
                  Source: C:\Users\user\Desktop\8U5snojV8p.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                  Source: C:\Users\user\Desktop\8U5snojV8p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8U5snojV8p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8U5snojV8p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8U5snojV8p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8U5snojV8p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior