Loading ...

Play interactive tourEdit tour

Windows Analysis Report FIyE6huzxV

Overview

General Information

Sample Name:FIyE6huzxV (renamed file extension from none to dll)
Analysis ID:524856
MD5:ae5017480fc46fea5f5b35e684be8639
SHA1:b5f7941d2b2be6fc1ee9a95a214a39404661b2bc
SHA256:610f8e0834645e2bf2a47c9d7f8cff5e902bef45750f3c2d1ad84bea66b681ca
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Changes security center settings (notifications, updates, antivirus, firewall)
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6404 cmdline: loaddll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 6416 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6436 cmdline: rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6816 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • BackgroundTransferHost.exe (PID: 6816 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: 02BA81746B929ECC9DB6665589B68335)
    • rundll32.exe (PID: 6424 cmdline: rundll32.exe C:\Users\user\Desktop\FIyE6huzxV.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6844 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Esbkudiqskvxrfyc\iscoyl.gsm",sRLFwndulUmgRNP MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 5600 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Esbkudiqskvxrfyc\iscoyl.gsm",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6472 cmdline: rundll32.exe C:\Users\user\Desktop\FIyE6huzxV.dll,abziuleoxsborpb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6960 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6604 cmdline: rundll32.exe C:\Users\user\Desktop\FIyE6huzxV.dll,aejkroaebsbxdnkhb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 7044 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7060 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 6544 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6672 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6852 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7088 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 1720 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 5424 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 4792 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 5408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 5452 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1348 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6464 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7136 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.350213708.0000000002E7A000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000001.00000002.352423510.00000000008EB000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      0000000A.00000002.377422235.00000000030DA000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000013.00000002.773455424.0000000003285000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000007.00000002.352676760.00000000034EA000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.loaddll32.exe.90bee8.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              7.2.rundll32.exe.3505238.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                5.2.rundll32.exe.2e943e0.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  5.2.rundll32.exe.2e943e0.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    4.2.rundll32.exe.2a55338.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 5 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Emotet RunDLL32 Process CreationShow sources
                      Source: Process startedAuthor: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",#1, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 6436, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL, ProcessId: 6816

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 5.2.rundll32.exe.2e943e0.0.raw.unpackMalware Configuration Extractor: Emotet {"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: FIyE6huzxV.dllVirustotal: Detection: 19%Perma Link
                      Source: FIyE6huzxV.dllReversingLabs: Detection: 22%
                      Source: FIyE6huzxV.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.7:49764 version: TLS 1.2
                      Source: FIyE6huzxV.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6CD1EE FindFirstFileExA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6CD1EE FindFirstFileExA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E1A80 FindFirstFileW,

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.7:49764 -> 51.178.61.60:443
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 51.178.61.60 187
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 51.178.61.60:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 45.79.33.48:8080
                      Source: Malware configuration extractorIPs: 196.44.98.190:8080
                      Source: Malware configuration extractorIPs: 177.72.80.14:7080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.169.10:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: EcobandGH EcobandGH
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: GET /ixufuEvpOVRaGsMcwVdxxNdVEbwDu HTTP/1.1Cookie: aCktUHAkMKD=TfyHqYLXTgYzdruEwNizDAfbCqZTgvqsH66CTQb1ytbBq80BnlqrtzN99nJXwaPo9lxyz/uAmFRullUIX0ZowWZs9CNvL/wvwz9s0Lyk9stGcsTkt35/6+ScCB6oHb65u6YN4GepkyMPsVCOcYLehsOLK7Ic3r5z0nvRBBYP/pa0Ftru5H1By1CJJuTLx5srUGF+6FxghaKUJmk9h02X8MAniWAG0gALx5fIxZLs/7s3UdtcvXiWG9uyM0dj8j6ddiLVwX64otV1KIALayfbuVeEUs4Up9/eppFXVuKG+YmasQ==Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: svchost.exe, 00000006.00000002.633228868.0000019BB3862000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000002.773751286.0000000003303000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000002.551975946.000002E1BC900000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000006.00000002.633228868.0000019BB3862000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000002.551789701.000002E1BC0ED000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 0000001E.00000003.532070250.000002E1BCE21000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.532019244.000002E1BC987000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 0000000F.00000002.388191444.0000018F9B213000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 00000008.00000002.772692496.0000015A28A46000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 00000008.00000002.772692496.0000015A28A46000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 00000008.00000002.772692496.0000015A28A46000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com.
                      Source: rundll32.exe, 00000013.00000003.440932609.00000000032E2000.00000004.00000001.sdmpString found in binary or memory: https://51.178.61.60/
                      Source: rundll32.exe, 00000013.00000002.773553604.00000000032BA000.00000004.00000020.sdmpString found in binary or memory: https://51.178.61.60/Y
                      Source: rundll32.exe, 00000013.00000003.440932609.00000000032E2000.00000004.00000001.sdmpString found in binary or memory: https://51.178.61.60/ixufuEvpOVRaGsMcwVdxxNdVEbwDu
                      Source: svchost.exe, 00000008.00000002.772692496.0000015A28A46000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 00000008.00000002.772554273.0000015A28A29000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000008.00000002.772554273.0000015A28A29000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000F.00000002.388232424.0000018F9B23C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000F.00000003.387685951.0000018F9B248000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000F.00000002.388232424.0000018F9B23C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 0000000F.00000002.388232424.0000018F9B23C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000F.00000003.387772041.0000018F9B241000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000F.00000003.387772041.0000018F9B241000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000F.00000003.387772041.0000018F9B241000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 0000001E.00000003.532070250.000002E1BCE21000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.532019244.000002E1BC987000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000F.00000003.387669870.0000018F9B264000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000F.00000002.388232424.0000018F9B23C000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000F.00000003.362849002.0000018F9B231000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000F.00000002.388232424.0000018F9B23C000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000F.00000002.388232424.0000018F9B23C000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000F.00000003.362849002.0000018F9B231000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000F.00000003.387745693.0000018F9B257000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000F.00000002.388232424.0000018F9B23C000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000F.00000002.388224173.0000018F9B23A000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000F.00000003.387685951.0000018F9B248000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: svchost.exe, 0000001E.00000003.532070250.000002E1BCE21000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.532019244.000002E1BC987000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 0000001E.00000003.532070250.000002E1BCE21000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.532019244.000002E1BC987000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 0000001E.00000003.533091604.000002E1BCE02000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030F1027 InternetReadFile,
                      Source: global trafficHTTP traffic detected: GET /ixufuEvpOVRaGsMcwVdxxNdVEbwDu HTTP/1.1Cookie: aCktUHAkMKD=TfyHqYLXTgYzdruEwNizDAfbCqZTgvqsH66CTQb1ytbBq80BnlqrtzN99nJXwaPo9lxyz/uAmFRullUIX0ZowWZs9CNvL/wvwz9s0Lyk9stGcsTkt35/6+ScCB6oHb65u6YN4GepkyMPsVCOcYLehsOLK7Ic3r5z0nvRBBYP/pa0Ftru5H1By1CJJuTLx5srUGF+6FxghaKUJmk9h02X8MAniWAG0gALx5fIxZLs/7s3UdtcvXiWG9uyM0dj8j6ddiLVwX64otV1KIALayfbuVeEUs4Up9/eppFXVuKG+YmasQ==Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.7:49764 version: TLS 1.2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6A5EE0 GetClipboardViewer,GetClipboardViewer,GetSystemDefaultLangID,GetOpenClipboardWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetCurrentThread,GetForegroundWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,AnyPopup,GetUserDefaultUILanguage,GetUserDefaultUILanguage,GetCurrentThread,GetCurrentThread,GetErrorMode,GetErrorMode,GetThreadErrorMode,

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 1.2.loaddll32.exe.90bee8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.3505238.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.2e943e0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.2e943e0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2a55338.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2a55338.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.30f4200.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.90bee8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.3505238.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.30f4200.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.350213708.0000000002E7A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.352423510.00000000008EB000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.377422235.00000000030DA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.773455424.0000000003285000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.352676760.00000000034EA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.351034288.0000000003565000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.351194213.0000000002A3A000.00000004.00000020.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: FIyE6huzxV.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Esbkudiqskvxrfyc\iscoyl.gsm:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Esbkudiqskvxrfyc\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082CAA8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081441E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008243B3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00817283
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00830687
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00824E8A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082748A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081CC8D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00813C91
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082D091
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081AC95
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082AC9B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081FEA0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082D6A7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008278A5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008244AA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081DAAE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00815AB2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008290BA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008298BD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082BEC9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008308D1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00827ED1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082CCD4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00820ADE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082ECE3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082AEEB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082A8F0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082DEF4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008130F6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00814C00
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00818C09
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00811A0A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081220A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00821C10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081E21C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081F41F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00825220
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081D223
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00819E22
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081EC27
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082F83F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00831A3C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00812043
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082E441
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00813845
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00812A46
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081A048
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00812654
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00819A57
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082406E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00811C76
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00819384
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081758F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00824D8D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00814F8E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081FD91
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00831193
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082B397
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082D99A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00822FA2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00829DA1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00824BAA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00827BB2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082B1B5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081BFB6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008325C3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00816FC4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081A3DF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008155E8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082BFE8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_008303F1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081C5FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00813502
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00812309
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082FD10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081251C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00815923
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00816B25
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0083292B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00830B34
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00831343
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00813345
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082F14D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0081C158
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00813F5C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082056A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00821F6B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082577E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6A6620
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6A5730
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6A5EE0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6CC6FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6AF700
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6C3780
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6BDC5D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6B1CD0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6BDA2D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6A2A80
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6BA29D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6D3074
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6A6620
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6A5730
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6A5EE0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6CC6FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6AF700
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6C3780
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6BDC5D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6B1CD0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6BDA2D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6A2A80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6BA29D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6D3074
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6D1929
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030F0B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E4BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E31A6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E47BC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D55E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030DC5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030DEC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E5220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D943C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030EF83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D3845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D2043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030DAC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E78A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030F08D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030EECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030EDEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D30F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D2309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D3502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030EFD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030F292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D6B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E6726
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D5923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030EF14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D3345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030F1343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D3F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030DC158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E1F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E4D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D4F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D9384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030ED99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030EB397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030F1193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030DFD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E2FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E9DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030EB1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030DBFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E7BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E43B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D6FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030F25C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030DA3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030EBFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030F03F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D8C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D1A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D4C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030DE21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030DF41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E1C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030DD223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D9E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030F1A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030DA048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D2A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030EE441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D2654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D9A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D1C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030DCC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E4E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030F0687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D7283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030EAC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D3C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030ED091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030DDAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030ECAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030ED6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030DFEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E66BC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E98BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E90BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D5AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030EBEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E0ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030ECCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030EAEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030EA8F0
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E6B5BE0 appears 44 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E6B5BE0 appears 46 times
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6A13F0 zwxnlwalmcbgmt,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6A13F0 zwxnlwalmcbgmt,
                      Source: FIyE6huzxV.dllBinary or memory string: OriginalFilenameErulfuaekg.dll6 vs FIyE6huzxV.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
                      Source: FIyE6huzxV.dllVirustotal: Detection: 19%
                      Source: FIyE6huzxV.dllReversingLabs: Detection: 22%
                      Source: FIyE6huzxV.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FIyE6huzxV.dll,Control_RunDLL
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FIyE6huzxV.dll,abziuleoxsborpb
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FIyE6huzxV.dll,aejkroaebsbxdnkhb
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Esbkudiqskvxrfyc\iscoyl.gsm",sRLFwndulUmgRNP
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Esbkudiqskvxrfyc\iscoyl.gsm",Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FIyE6huzxV.dll,Control_RunDLL
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FIyE6huzxV.dll,abziuleoxsborpb
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FIyE6huzxV.dll,aejkroaebsbxdnkhb
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Esbkudiqskvxrfyc\iscoyl.gsm",sRLFwndulUmgRNP
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Esbkudiqskvxrfyc\iscoyl.gsm",Control_RunDLL
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                      Source: classification engineClassification label: mal100.troj.evad.winDLL@37/7@0/21
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6ABC70 SHGetFolderPathW,CoCreateInstance,
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E1B54 CreateToolhelp32Snapshot,
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FIyE6huzxV.dll,Control_RunDLL
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5408:120:WilError_01
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6AEBD0 LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\System32\BackgroundTransferHost.exeAutomated click: OK
                      Source: FIyE6huzxV.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: FIyE6huzxV.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: FIyE6huzxV.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: FIyE6huzxV.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: FIyE6huzxV.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: FIyE6huzxV.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00811229 push eax; retf
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6B5C26 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6D8067 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6B5C26 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6D8067 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E6134 push edi; retf 0040h
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E475A pushfd ; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030D1229 push eax; retf
                      Source: FIyE6huzxV.dllStatic PE information: real checksum: 0x81586 should be: 0x7a3ed
                      Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Esbkudiqskvxrfyc\iscoyl.gsmJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Esbkudiqskvxrfyc\iscoyl.gsm:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Tries to detect virtualization through RDTSC time measurementsShow sources
                      Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 000000006E6A6672 second address: 000000006E6A66A0 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FD278BE2511h 0x0000000a mov edi, 0C2869DAh 0x0000000f rdtscp
                      Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 000000006E6A8A23 second address: 000000006E6A8A36 instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FD278BF905Eh 0x00000007 rdtscp
                      Source: C:\Windows\System32\loaddll32.exeRDTSC instruction interceptor: First address: 000000006E6A6672 second address: 000000006E6A66A0 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FD278BE2511h 0x0000000a mov edi, 0C2869DAh 0x0000000f rdtscp
                      Source: C:\Windows\System32\loaddll32.exeRDTSC instruction interceptor: First address: 000000006E6A8A23 second address: 000000006E6A8A36 instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FD278BF905Eh 0x00000007 rdtscp
                      Source: C:\Windows\System32\svchost.exe TID: 6572Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 6576Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 4460Thread sleep time: -180000s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6A6620 rdtscp
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6CD1EE FindFirstFileExA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6CD1EE FindFirstFileExA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030E1A80 FindFirstFileW,
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: svchost.exe, 00000006.00000002.633228868.0000019BB3862000.00000004.00000001.sdmpBinary or memory string: "@Hyper-V RAW
                      Source: svchost.exe, 0000001E.00000003.550373465.000002E1BC082000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW0
                      Source: svchost.exe, 00000006.00000002.632380609.0000019BAE229000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000003.440932609.00000000032E2000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000002.551731215.000002E1BC0E1000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 00000008.00000002.772886609.0000015A28A69000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.772237774.000001CBF3629000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: rundll32.exe, 00000013.00000003.440932609.00000000032E2000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW&Z=
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6BED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6B846D GetProcessHeap,HeapFree,InterlockedPushEntrySList,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6A6620 rdtscp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0082DE10 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6A6620 mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6B849D mov esi, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6A6510 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6A8A50 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6C69AA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6A6620 mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6B849D mov esi, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6A6510 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6A8A50 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6C69AA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_030EDE10 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6BED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6B5239 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6B5ABD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6BED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6B5239 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E6B5ABD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 51.178.61.60 187
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",#1
                      Source: rundll32.exe, 00000013.00000002.773907586.00000000036F0000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
                      Source: rundll32.exe, 00000013.00000002.773907586.00000000036F0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: rundll32.exe, 00000013.00000002.773907586.00000000036F0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: rundll32.exe, 00000013.00000002.773907586.00000000036F0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Windows\System32\loaddll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6B5916 cpuid
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E6B5C3C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Changes security center settings (notifications, updates, antivirus, firewall)Show sources
                      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
                      Source: svchost.exe, 00000011.00000002.772444199.00000294AAB02000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 1.2.loaddll32.exe.90bee8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.3505238.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.2e943e0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.2e943e0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2a55338.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2a55338.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.30f4200.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.90bee8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.3505238.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.30f4200.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.350213708.0000000002E7A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.352423510.00000000008EB000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.377422235.00000000030DA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.773455424.0000000003285000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.352676760.00000000034EA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.351034288.0000000003565000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.351194213.0000000002A3A000.00000004.00000020.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation1DLL Side-Loading1Process Injection112Masquerading2OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemorySecurity Software Discovery161Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion2Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncSystem Information Discovery144Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobRundll321Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)DLL Side-Loading1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)File Deletion1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 524856 Sample: FIyE6huzxV Startdate: 19/11/2021 Architecture: WINDOWS Score: 100 48 85.214.67.203 STRATOSTRATOAGDE Germany 2->48 50 195.154.146.35 OnlineSASFR France 2->50 52 17 other IPs or domains 2->52 58 Sigma detected: Emotet RunDLL32 Process Creation 2->58 60 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->60 62 Found malware configuration 2->62 64 3 other signatures 2->64 9 loaddll32.exe 1 2->9         started        12 svchost.exe 2->12         started        14 svchost.exe 9 1 2->14         started        17 8 other processes 2->17 signatures3 process4 dnsIp5 70 Tries to detect virtualization through RDTSC time measurements 9->70 19 rundll32.exe 2 9->19         started        22 cmd.exe 1 9->22         started        24 rundll32.exe 9->24         started        28 2 other processes 9->28 72 Changes security center settings (notifications, updates, antivirus, firewall) 12->72 26 MpCmdRun.exe 12->26         started        56 127.0.0.1 unknown unknown 14->56 signatures6 process7 signatures8 66 Tries to detect virtualization through RDTSC time measurements 19->66 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->68 30 rundll32.exe 19->30         started        32 rundll32.exe 22->32         started        34 rundll32.exe 24->34         started        36 conhost.exe 26->36         started        38 rundll32.exe 28->38         started        process9 process10 40 rundll32.exe 30->40         started        44 rundll32.exe 32->44         started        46 BackgroundTransferHost.exe 32->46         started        dnsIp11 54 51.178.61.60, 443, 49764 OVHFR France 40->54 74 System process connects to network (likely due to code injection or exploit) 40->74 signatures12

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      FIyE6huzxV.dll20%VirustotalBrowse
                      FIyE6huzxV.dll23%ReversingLabsWin32.Infostealer.Convagent

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      7.2.rundll32.exe.3480000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      3.2.rundll32.exe.34e0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      4.2.rundll32.exe.29b0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      10.2.rundll32.exe.2fa0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      1.2.loaddll32.exe.810000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      19.2.rundll32.exe.30d0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      5.2.rundll32.exe.3110000.1.unpack100%AviraHEUR/AGEN.1110387Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      http://crl.ver)0%Avira URL Cloudsafe
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      https://%s.xboxlive.com0%URL Reputationsafe
                      https://51.178.61.60/ixufuEvpOVRaGsMcwVdxxNdVEbwDu0%Avira URL Cloudsafe
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      https://51.178.61.60/0%Avira URL Cloudsafe
                      https://dynamic.t0%URL Reputationsafe
                      https://disneyplus.com/legal.0%URL Reputationsafe
                      https://51.178.61.60/Y0%Avira URL Cloudsafe
                      https://%s.xboxlive.com.0%Avira URL Cloudsafe
                      http://help.disneyplus.com.0%URL Reputationsafe
                      https://%s.dnet.xboxlive.com0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://51.178.61.60/ixufuEvpOVRaGsMcwVdxxNdVEbwDutrue
                      • Avira URL Cloud: safe
                      unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmpfalse
                        high
                        https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 0000001E.00000003.532070250.000002E1BCE21000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.532019244.000002E1BC987000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 0000000F.00000003.387745693.0000018F9B257000.00000004.00000001.sdmpfalse
                          high
                          https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000F.00000002.388232424.0000018F9B23C000.00000004.00000001.sdmpfalse
                            high
                            https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmpfalse
                              high
                              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000F.00000002.388232424.0000018F9B23C000.00000004.00000001.sdmpfalse
                                high
                                https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmpfalse
                                  high
                                  https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 0000000F.00000003.387685951.0000018F9B248000.00000004.00000001.sdmpfalse
                                    high
                                    https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000F.00000002.388232424.0000018F9B23C000.00000004.00000001.sdmpfalse
                                      high
                                      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 0000000F.00000003.362849002.0000018F9B231000.00000004.00000001.sdmpfalse
                                        high
                                        https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmpfalse
                                          high
                                          http://crl.ver)svchost.exe, 00000006.00000002.633228868.0000019BB3862000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000002.551789701.000002E1BC0ED000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          low
                                          https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000F.00000003.387772041.0000018F9B241000.00000004.00000001.sdmpfalse
                                            high
                                            https://www.tiktok.com/legal/report/feedbacksvchost.exe, 0000001E.00000003.533091604.000002E1BCE02000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000F.00000002.388232424.0000018F9B23C000.00000004.00000001.sdmpfalse
                                              high
                                              https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 0000000F.00000003.387772041.0000018F9B241000.00000004.00000001.sdmpfalse
                                                high
                                                https://%s.xboxlive.comsvchost.exe, 00000008.00000002.772692496.0000015A28A46000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                low
                                                https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000F.00000003.387685951.0000018F9B248000.00000004.00000001.sdmpfalse
                                                  high
                                                  https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmpfalse
                                                    high
                                                    https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000F.00000003.362849002.0000018F9B231000.00000004.00000001.sdmpfalse
                                                      high
                                                      https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmpfalse
                                                        high
                                                        https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmpfalse
                                                          high
                                                          https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmpfalse
                                                            high
                                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000000F.00000002.388232424.0000018F9B23C000.00000004.00000001.sdmpfalse
                                                              high
                                                              https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmpfalse
                                                                high
                                                                https://www.disneyplus.com/legal/privacy-policysvchost.exe, 0000001E.00000003.532070250.000002E1BCE21000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.532019244.000002E1BC987000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://51.178.61.60/rundll32.exe, 00000013.00000003.440932609.00000000032E2000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmpfalse
                                                                  high
                                                                  https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000F.00000003.387772041.0000018F9B241000.00000004.00000001.sdmpfalse
                                                                    high
                                                                    https://dynamic.tsvchost.exe, 0000000F.00000003.387669870.0000018F9B264000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmpfalse
                                                                      high
                                                                      https://dev.ditu.live.com/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000F.00000002.388232424.0000018F9B23C000.00000004.00000001.sdmpfalse
                                                                        high
                                                                        https://disneyplus.com/legal.svchost.exe, 0000001E.00000003.532070250.000002E1BCE21000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.532019244.000002E1BC987000.00000004.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 0000000F.00000002.388224173.0000018F9B23A000.00000004.00000001.sdmpfalse
                                                                          high
                                                                          https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmpfalse
                                                                            high
                                                                            https://51.178.61.60/Yrundll32.exe, 00000013.00000002.773553604.00000000032BA000.00000004.00000020.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            unknown
                                                                            https://%s.xboxlive.com.svchost.exe, 00000008.00000002.772692496.0000015A28A46000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            low
                                                                            https://activity.windows.comsvchost.exe, 00000008.00000002.772692496.0000015A28A46000.00000004.00000001.sdmpfalse
                                                                              high
                                                                              http://www.bingmapsportal.comsvchost.exe, 0000000F.00000002.388191444.0000018F9B213000.00000004.00000001.sdmpfalse
                                                                                high
                                                                                https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 0000000F.00000003.387679897.0000018F9B262000.00000004.00000001.sdmpfalse
                                                                                  high
                                                                                  http://help.disneyplus.com.svchost.exe, 0000001E.00000003.532070250.000002E1BCE21000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.532019244.000002E1BC987000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  unknown
                                                                                  https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000F.00000002.388232424.0000018F9B23C000.00000004.00000001.sdmpfalse
                                                                                    high
                                                                                    https://%s.dnet.xboxlive.comsvchost.exe, 00000008.00000002.772692496.0000015A28A46000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    low
                                                                                    https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmpfalse
                                                                                      high
                                                                                      https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000F.00000003.387720088.0000018F9B25B000.00000004.00000001.sdmpfalse
                                                                                        high

                                                                                        Contacted IPs

                                                                                        • No. of IPs < 25%
                                                                                        • 25% < No. of IPs < 50%
                                                                                        • 50% < No. of IPs < 75%
                                                                                        • 75% < No. of IPs

                                                                                        Public

                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                        207.148.81.119
                                                                                        unknownUnited States
                                                                                        20473AS-CHOOPAUStrue
                                                                                        196.44.98.190
                                                                                        unknownGhana
                                                                                        327814EcobandGHtrue
                                                                                        78.46.73.125
                                                                                        unknownGermany
                                                                                        24940HETZNER-ASDEtrue
                                                                                        37.59.209.141
                                                                                        unknownFrance
                                                                                        16276OVHFRtrue
                                                                                        85.214.67.203
                                                                                        unknownGermany
                                                                                        6724STRATOSTRATOAGDEtrue
                                                                                        191.252.103.16
                                                                                        unknownBrazil
                                                                                        27715LocawebServicosdeInternetSABRtrue
                                                                                        45.79.33.48
                                                                                        unknownUnited States
                                                                                        63949LINODE-APLinodeLLCUStrue
                                                                                        54.37.228.122
                                                                                        unknownFrance
                                                                                        16276OVHFRtrue
                                                                                        185.148.169.10
                                                                                        unknownGermany
                                                                                        44780EVERSCALE-ASDEtrue
                                                                                        142.4.219.173
                                                                                        unknownCanada
                                                                                        16276OVHFRtrue
                                                                                        54.38.242.185
                                                                                        unknownFrance
                                                                                        16276OVHFRtrue
                                                                                        195.154.146.35
                                                                                        unknownFrance
                                                                                        12876OnlineSASFRtrue
                                                                                        195.77.239.39
                                                                                        unknownSpain
                                                                                        60493FICOSA-ASEStrue
                                                                                        78.47.204.80
                                                                                        unknownGermany
                                                                                        24940HETZNER-ASDEtrue
                                                                                        168.197.250.14
                                                                                        unknownArgentina
                                                                                        264776OmarAnselmoRipollTDCNETARtrue
                                                                                        51.178.61.60
                                                                                        unknownFrance
                                                                                        16276OVHFRtrue
                                                                                        177.72.80.14
                                                                                        unknownBrazil
                                                                                        262543NewLifeFibraBRtrue
                                                                                        66.42.57.149
                                                                                        unknownUnited States
                                                                                        20473AS-CHOOPAUStrue
                                                                                        37.44.244.177
                                                                                        unknownGermany
                                                                                        47583AS-HOSTINGERLTtrue
                                                                                        51.210.242.234
                                                                                        unknownFrance
                                                                                        16276OVHFRtrue

                                                                                        Private

                                                                                        IP
                                                                                        127.0.0.1

                                                                                        General Information

                                                                                        Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                        Analysis ID:524856
                                                                                        Start date:19.11.2021
                                                                                        Start time:00:55:15
                                                                                        Joe Sandbox Product:CloudBasic
                                                                                        Overall analysis duration:0h 13m 3s
                                                                                        Hypervisor based Inspection enabled:false
                                                                                        Report type:light
                                                                                        Sample file name:FIyE6huzxV (renamed file extension from none to dll)
                                                                                        Cookbook file name:default.jbs
                                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                        Number of analysed new started processes analysed:34
                                                                                        Number of new started drivers analysed:0
                                                                                        Number of existing processes analysed:0
                                                                                        Number of existing drivers analysed:0
                                                                                        Number of injected processes analysed:0
                                                                                        Technologies:
                                                                                        • HCA enabled
                                                                                        • EGA enabled
                                                                                        • HDC enabled
                                                                                        • AMSI enabled
                                                                                        Analysis Mode:default
                                                                                        Analysis stop reason:Timeout
                                                                                        Detection:MAL
                                                                                        Classification:mal100.troj.evad.winDLL@37/7@0/21
                                                                                        EGA Information:Failed
                                                                                        HDC Information:
                                                                                        • Successful, ratio: 10.7% (good quality ratio 9.7%)
                                                                                        • Quality average: 70.4%
                                                                                        • Quality standard deviation: 30%
                                                                                        HCA Information:
                                                                                        • Successful, ratio: 74%
                                                                                        • Number of executed functions: 0
                                                                                        • Number of non-executed functions: 0
                                                                                        Cookbook Comments:
                                                                                        • Adjust boot time
                                                                                        • Enable AMSI
                                                                                        • Override analysis time to 240s for rundll32
                                                                                        Warnings:
                                                                                        Show All
                                                                                        • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, wuapihost.exe
                                                                                        • Excluded IPs from analysis (whitelisted): 23.211.4.86, 20.54.110.249, 52.251.79.25
                                                                                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, eus2-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                        Simulations

                                                                                        Behavior and APIs

                                                                                        TimeTypeDescription
                                                                                        00:56:26API Interceptor11x Sleep call for process: svchost.exe modified
                                                                                        00:58:17API Interceptor1x Sleep call for process: MpCmdRun.exe modified

                                                                                        Joe Sandbox View / Context

                                                                                        IPs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                        207.148.81.119t5EuQW2GUF.dllGet hashmaliciousBrowse
                                                                                          uh1WyesPlh.dllGet hashmaliciousBrowse
                                                                                            8rryPzJR1p.dllGet hashmaliciousBrowse
                                                                                              a65FgjVus4.dllGet hashmaliciousBrowse
                                                                                                bWjYh6H8wk.dllGet hashmaliciousBrowse
                                                                                                  ZJOHKItBoJ.dllGet hashmaliciousBrowse
                                                                                                    eyPPiz3W6u.dllGet hashmaliciousBrowse
                                                                                                      HjYSwxqyUn.dllGet hashmaliciousBrowse
                                                                                                        f47YPsvRI3.dllGet hashmaliciousBrowse
                                                                                                          2n64VXT08V.dllGet hashmaliciousBrowse
                                                                                                            qUr4bXsweR.dllGet hashmaliciousBrowse
                                                                                                              52O6evfqQT.dllGet hashmaliciousBrowse
                                                                                                                ONEitXKvz6.dllGet hashmaliciousBrowse
                                                                                                                  1w9i8K6AzWV5RmHTSn8.dllGet hashmaliciousBrowse
                                                                                                                    nXOpgPAbKC.dllGet hashmaliciousBrowse
                                                                                                                      yezVNLNobB.dllGet hashmaliciousBrowse
                                                                                                                        rRX4GBcJKK.dllGet hashmaliciousBrowse
                                                                                                                          d2EyAMvU47.dllGet hashmaliciousBrowse
                                                                                                                            5Fp1yvQlGM.dllGet hashmaliciousBrowse
                                                                                                                              IQKuIlAiRd.dllGet hashmaliciousBrowse

                                                                                                                                Domains

                                                                                                                                No context

                                                                                                                                ASN

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                AS-CHOOPAUSt5EuQW2GUF.dllGet hashmaliciousBrowse
                                                                                                                                • 66.42.57.149
                                                                                                                                uh1WyesPlh.dllGet hashmaliciousBrowse
                                                                                                                                • 66.42.57.149
                                                                                                                                8rryPzJR1p.dllGet hashmaliciousBrowse
                                                                                                                                • 66.42.57.149
                                                                                                                                a65FgjVus4.dllGet hashmaliciousBrowse
                                                                                                                                • 66.42.57.149
                                                                                                                                bWjYh6H8wk.dllGet hashmaliciousBrowse
                                                                                                                                • 66.42.57.149
                                                                                                                                ZJOHKItBoJ.dllGet hashmaliciousBrowse
                                                                                                                                • 66.42.57.149
                                                                                                                                eyPPiz3W6u.dllGet hashmaliciousBrowse
                                                                                                                                • 66.42.57.149
                                                                                                                                HjYSwxqyUn.dllGet hashmaliciousBrowse
                                                                                                                                • 66.42.57.149
                                                                                                                                f47YPsvRI3.dllGet hashmaliciousBrowse
                                                                                                                                • 66.42.57.149
                                                                                                                                2n64VXT08V.dllGet hashmaliciousBrowse
                                                                                                                                • 66.42.57.149
                                                                                                                                qUr4bXsweR.dllGet hashmaliciousBrowse
                                                                                                                                • 66.42.57.149
                                                                                                                                52O6evfqQT.dllGet hashmaliciousBrowse
                                                                                                                                • 66.42.57.149
                                                                                                                                ONEitXKvz6.dllGet hashmaliciousBrowse
                                                                                                                                • 66.42.57.149
                                                                                                                                F2433DFBA69148A0C3A5A5951D360B6C3C045090DE06F.exeGet hashmaliciousBrowse
                                                                                                                                • 149.28.253.196
                                                                                                                                jQ32XS2Lgf.exeGet hashmaliciousBrowse
                                                                                                                                • 216.128.137.31
                                                                                                                                QbXMqZr3bx.exeGet hashmaliciousBrowse
                                                                                                                                • 216.128.137.31
                                                                                                                                Whg8jgqeOs.exeGet hashmaliciousBrowse
                                                                                                                                • 149.28.253.196
                                                                                                                                SdbW7ReHTT.exeGet hashmaliciousBrowse
                                                                                                                                • 216.128.137.31
                                                                                                                                1w9i8K6AzWV5RmHTSn8.dllGet hashmaliciousBrowse
                                                                                                                                • 66.42.57.149
                                                                                                                                QTjMt7g965.exeGet hashmaliciousBrowse
                                                                                                                                • 216.128.137.31
                                                                                                                                EcobandGHt5EuQW2GUF.dllGet hashmaliciousBrowse
                                                                                                                                • 196.44.98.190
                                                                                                                                uh1WyesPlh.dllGet hashmaliciousBrowse
                                                                                                                                • 196.44.98.190
                                                                                                                                8rryPzJR1p.dllGet hashmaliciousBrowse
                                                                                                                                • 196.44.98.190
                                                                                                                                a65FgjVus4.dllGet hashmaliciousBrowse
                                                                                                                                • 196.44.98.190
                                                                                                                                bWjYh6H8wk.dllGet hashmaliciousBrowse
                                                                                                                                • 196.44.98.190
                                                                                                                                ZJOHKItBoJ.dllGet hashmaliciousBrowse
                                                                                                                                • 196.44.98.190
                                                                                                                                eyPPiz3W6u.dllGet hashmaliciousBrowse
                                                                                                                                • 196.44.98.190
                                                                                                                                HjYSwxqyUn.dllGet hashmaliciousBrowse
                                                                                                                                • 196.44.98.190
                                                                                                                                f47YPsvRI3.dllGet hashmaliciousBrowse
                                                                                                                                • 196.44.98.190
                                                                                                                                2n64VXT08V.dllGet hashmaliciousBrowse
                                                                                                                                • 196.44.98.190
                                                                                                                                qUr4bXsweR.dllGet hashmaliciousBrowse
                                                                                                                                • 196.44.98.190
                                                                                                                                52O6evfqQT.dllGet hashmaliciousBrowse
                                                                                                                                • 196.44.98.190
                                                                                                                                ONEitXKvz6.dllGet hashmaliciousBrowse
                                                                                                                                • 196.44.98.190
                                                                                                                                1w9i8K6AzWV5RmHTSn8.dllGet hashmaliciousBrowse
                                                                                                                                • 196.44.98.190
                                                                                                                                nXOpgPAbKC.dllGet hashmaliciousBrowse
                                                                                                                                • 196.44.98.190
                                                                                                                                yezVNLNobB.dllGet hashmaliciousBrowse
                                                                                                                                • 196.44.98.190
                                                                                                                                rRX4GBcJKK.dllGet hashmaliciousBrowse
                                                                                                                                • 196.44.98.190
                                                                                                                                d2EyAMvU47.dllGet hashmaliciousBrowse
                                                                                                                                • 196.44.98.190
                                                                                                                                5Fp1yvQlGM.dllGet hashmaliciousBrowse
                                                                                                                                • 196.44.98.190
                                                                                                                                IQKuIlAiRd.dllGet hashmaliciousBrowse
                                                                                                                                • 196.44.98.190

                                                                                                                                JA3 Fingerprints

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                51c64c77e60f3980eea90869b68c58a8t5EuQW2GUF.dllGet hashmaliciousBrowse
                                                                                                                                • 51.178.61.60
                                                                                                                                uh1WyesPlh.dllGet hashmaliciousBrowse
                                                                                                                                • 51.178.61.60
                                                                                                                                8rryPzJR1p.dllGet hashmaliciousBrowse
                                                                                                                                • 51.178.61.60
                                                                                                                                a65FgjVus4.dllGet hashmaliciousBrowse
                                                                                                                                • 51.178.61.60
                                                                                                                                bWjYh6H8wk.dllGet hashmaliciousBrowse
                                                                                                                                • 51.178.61.60
                                                                                                                                ZJOHKItBoJ.dllGet hashmaliciousBrowse
                                                                                                                                • 51.178.61.60
                                                                                                                                eyPPiz3W6u.dllGet hashmaliciousBrowse
                                                                                                                                • 51.178.61.60
                                                                                                                                02D6463C8D80183F843D874AB427C11FC47B6B9CE4726.exeGet hashmaliciousBrowse
                                                                                                                                • 51.178.61.60
                                                                                                                                HjYSwxqyUn.dllGet hashmaliciousBrowse
                                                                                                                                • 51.178.61.60
                                                                                                                                f47YPsvRI3.dllGet hashmaliciousBrowse
                                                                                                                                • 51.178.61.60
                                                                                                                                2n64VXT08V.dllGet hashmaliciousBrowse
                                                                                                                                • 51.178.61.60
                                                                                                                                qUr4bXsweR.dllGet hashmaliciousBrowse
                                                                                                                                • 51.178.61.60
                                                                                                                                52O6evfqQT.dllGet hashmaliciousBrowse
                                                                                                                                • 51.178.61.60
                                                                                                                                ONEitXKvz6.dllGet hashmaliciousBrowse
                                                                                                                                • 51.178.61.60
                                                                                                                                1w9i8K6AzWV5RmHTSn8.dllGet hashmaliciousBrowse
                                                                                                                                • 51.178.61.60
                                                                                                                                nXOpgPAbKC.dllGet hashmaliciousBrowse
                                                                                                                                • 51.178.61.60
                                                                                                                                yezVNLNobB.dllGet hashmaliciousBrowse
                                                                                                                                • 51.178.61.60
                                                                                                                                rRX4GBcJKK.dllGet hashmaliciousBrowse
                                                                                                                                • 51.178.61.60
                                                                                                                                d2EyAMvU47.dllGet hashmaliciousBrowse
                                                                                                                                • 51.178.61.60
                                                                                                                                5Fp1yvQlGM.dllGet hashmaliciousBrowse
                                                                                                                                • 51.178.61.60

                                                                                                                                Dropped Files

                                                                                                                                No context

                                                                                                                                Created / dropped Files

                                                                                                                                C:\ProgramData\Microsoft\Network\Downloader\edb.chk
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):8192
                                                                                                                                Entropy (8bit):0.3593198815979092
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:12:SnaaD0JcaaD0JwQQU2naaD0JcaaD0JwQQU:4tgJctgJw/tgJctgJw
                                                                                                                                MD5:BF1DC7D5D8DAD7478F426DF8B3F8BAA6
                                                                                                                                SHA1:C6B0BDE788F553F865D65F773D8F6A3546887E42
                                                                                                                                SHA-256:BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
                                                                                                                                SHA-512:00F2412AA04E09EA19A8315D80BE66D2727C713FC0F5AE6A9334BABA539817F568A98CA3A45B2673282BDD325B8B0E2840A393A4DCFADCB16473F5EAF2AF3180
                                                                                                                                Malicious:false
                                                                                                                                Preview: .............*..........3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................*.............................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:MPEG-4 LOAS
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):1310720
                                                                                                                                Entropy (8bit):0.2494791022346347
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4k:BJiRdwfu2SRU4k
                                                                                                                                MD5:31B16224968041343FE87FE985090D61
                                                                                                                                SHA1:61C02E6426EBDBC8F1DB8E261A1128AD29EAAC6C
                                                                                                                                SHA-256:E88B02A7DEBE92E76B4E4D7F70D319B1075BD67F3C18FB23C29FBA855C3B5052
                                                                                                                                SHA-512:BA8FF67D22BC98387013BE97CC663361C8185FC6631C255DDD3A46CE508216040D1A18FE080937C0A844DFFF286C807955D666EA8FF3D06A804C8B2311237E0B
                                                                                                                                Malicious:false
                                                                                                                                Preview: V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x3b52dbcc, page size 16384, Windows version 10.0
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):786432
                                                                                                                                Entropy (8bit):0.25063478065004796
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:1ze+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:1zRSB2nSB2RSjlK/+mLesOj1J2
                                                                                                                                MD5:DE18F59C5C60B85023151D8F8CFBFCC5
                                                                                                                                SHA1:AE0A392FC1DCDA352C589CF3C6E93167DAC74514
                                                                                                                                SHA-256:D27F38BF5CC3820AD4B793C8CD8217A9D8486860DE42EF0D1C2FEEAE481956FC
                                                                                                                                SHA-512:496C8D6ADC42023E44855B69216BCD65186B64C9B6AFDBD786E055771A160BBE3212025FE6AB463550647141DB6FAF1AE453878B9EC7BEFDE9163FBC48335263
                                                                                                                                Malicious:false
                                                                                                                                Preview: ;R..... ................e.f.3...w........................)...../;...y...8...yO.h.(...../;...y....)..............3...w...........................................................................................................B...........@...................................................................................................... ...................................................................................................................................................................................................................................................V1../;...y..................y.../;...y..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):16384
                                                                                                                                Entropy (8bit):0.07736530250654365
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:KJ7v/vZh/V8t6e2I6lXX22/All3Vkttlmlnl:KJrHZJytPKlXrA3
                                                                                                                                MD5:4CE0AF395CFC1A975CD440A9ADA6E671
                                                                                                                                SHA1:509491BB56D9A3233C9ED56BE565BE0BE3E463BC
                                                                                                                                SHA-256:55B0F176052FB9710D47BF20821D13F1C929013A1060E977B534BD7C5BF685EA
                                                                                                                                SHA-512:89AB4019F5DDF14A8D48A2A683A1ABDFA56B106EC94F8B207D92891D43D74EAB91ADAEC9355FA993EDEDEE8D4341839A8404D7B7B00C38A349410A851D30FA59
                                                                                                                                Malicious:false
                                                                                                                                Preview: ...q.....................................3...w...8...yO./;...y........../;...y../;...y...._..;...ya.................y.../;...y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):55
                                                                                                                                Entropy (8bit):4.306461250274409
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                Malicious:false
                                                                                                                                Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                                                                                                                C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
                                                                                                                                Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                                                                                Category:modified
                                                                                                                                Size (bytes):9062
                                                                                                                                Entropy (8bit):3.169340456514327
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:192:cY+38+DJDD+iDtJC+iw3+gF+O5+6tw+EStN+EjjH+IC:j+s+5D+Me+X+u+M+j+l+c+r
                                                                                                                                MD5:31DFA55FD0FA5FC5E5365A11BC769CF3
                                                                                                                                SHA1:C87F74C7456B28FB93C249E9F2071B688311B14F
                                                                                                                                SHA-256:31C22150BA44E4429EB89CB59407EC5ECE1DA2901F58EB3E5399E6842554C219
                                                                                                                                SHA-512:CC3593FDEBC9B352885855798F501CFF858B046CD382A63E009372FF41475F74AE150D7FD66197B3694CCF5950EA3BBF6F6C7EC4056EDA2D6FF4124930046BE1
                                                                                                                                Malicious:false
                                                                                                                                Preview: ..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
                                                                                                                                C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20211119_085707_248.etl
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):12288
                                                                                                                                Entropy (8bit):3.8274348257309434
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:96:mcCkpo+sK5cu9B2YTmCe4I2l6lkRe4jsT26YFzwUMCcrJRPl5F5bMC0l5gbMCKlW:UUdQ+G2ulfCWmC0CkCiCWCl
                                                                                                                                MD5:2BEC8C3CEEB46DDA8FEFE6D1F316B9B6
                                                                                                                                SHA1:436ED58BE49C20836D3E6239F77095272902635A
                                                                                                                                SHA-256:593177FD7898715E0DEBCC55124AFF7D169FAEAED8B6DA1AFB8FC9CA320B486B
                                                                                                                                SHA-512:D228499EEDFA49947134B677F08B5BBC5699D0B64CC04144A90EE5E982E332510A9C345380B7D4D399C92E6903FC67571589C86411A55E7337CF4B053ADC19D9
                                                                                                                                Malicious:false
                                                                                                                                Preview: .... ... ....................................... ...!....................................0.......................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................N...=..... .......+n#...........8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.1.1.1.1.9._.0.8.5.7.0.7._.2.4.8...e.t.l.........P.P..........0......................................................................................................................................................................................................................................................................

                                                                                                                                Static File Info

                                                                                                                                General

                                                                                                                                File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Entropy (8bit):7.178844070537059
                                                                                                                                TrID:
                                                                                                                                • Win32 Dynamic Link Library (generic) (1002004/3) 99.40%
                                                                                                                                • Clipper DOS Executable (2020/12) 0.20%
                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                                                                • DOS Executable Generic (2002/1) 0.20%
                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                File name:FIyE6huzxV.dll
                                                                                                                                File size:485376
                                                                                                                                MD5:ae5017480fc46fea5f5b35e684be8639
                                                                                                                                SHA1:b5f7941d2b2be6fc1ee9a95a214a39404661b2bc
                                                                                                                                SHA256:610f8e0834645e2bf2a47c9d7f8cff5e902bef45750f3c2d1ad84bea66b681ca
                                                                                                                                SHA512:ea3b94860af69bf21d671999272e1eaab747031828a9834cd3558cf95e20774ddbb3782bbf35a10be2ad01aa3f2bf917a9529467c0967e77274b7cd2b5856a3d
                                                                                                                                SSDEEP:12288:bdv8jkvzqZvv2wLBSmTi12yD88kYwZ1h1:b2Zvv2cVTi1v0Z1h
                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................................................................................................................................

                                                                                                                                File Icon

                                                                                                                                Icon Hash:74f0e4ecccdce0e4

                                                                                                                                Static PE Info

                                                                                                                                General

                                                                                                                                Entrypoint:0x10015826
                                                                                                                                Entrypoint Section:.text
                                                                                                                                Digitally signed:false
                                                                                                                                Imagebase:0x10000000
                                                                                                                                Subsystem:windows gui
                                                                                                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                                                                Time Stamp:0x61964C08 [Thu Nov 18 12:50:16 2021 UTC]
                                                                                                                                TLS Callbacks:
                                                                                                                                CLR (.Net) Version:
                                                                                                                                OS Version Major:6
                                                                                                                                OS Version Minor:0
                                                                                                                                File Version Major:6
                                                                                                                                File Version Minor:0
                                                                                                                                Subsystem Version Major:6
                                                                                                                                Subsystem Version Minor:0
                                                                                                                                Import Hash:261bae8b02d2e7bf979e55d76b9dc786

                                                                                                                                Entrypoint Preview

                                                                                                                                Instruction
                                                                                                                                push ebp
                                                                                                                                mov ebp, esp
                                                                                                                                cmp dword ptr [ebp+0Ch], 01h
                                                                                                                                jne 00007FD2788649B7h
                                                                                                                                call 00007FD278864E0Ah
                                                                                                                                push dword ptr [ebp+10h]
                                                                                                                                push dword ptr [ebp+0Ch]
                                                                                                                                push dword ptr [ebp+08h]
                                                                                                                                call 00007FD278864868h
                                                                                                                                add esp, 0Ch
                                                                                                                                pop ebp
                                                                                                                                retn 000Ch
                                                                                                                                push ebp
                                                                                                                                mov ebp, esp
                                                                                                                                push esi
                                                                                                                                push dword ptr [ebp+08h]
                                                                                                                                mov esi, ecx
                                                                                                                                call 00007FD2788507FEh
                                                                                                                                mov dword ptr [esi], 1003B3E8h
                                                                                                                                mov eax, esi
                                                                                                                                pop esi
                                                                                                                                pop ebp
                                                                                                                                retn 0004h
                                                                                                                                and dword ptr [ecx+04h], 00000000h
                                                                                                                                mov eax, ecx
                                                                                                                                and dword ptr [ecx+08h], 00000000h
                                                                                                                                mov dword ptr [ecx+04h], 1003B3F0h
                                                                                                                                mov dword ptr [ecx], 1003B3E8h
                                                                                                                                ret
                                                                                                                                push ebp
                                                                                                                                mov ebp, esp
                                                                                                                                push esi
                                                                                                                                push dword ptr [ebp+08h]
                                                                                                                                mov esi, ecx
                                                                                                                                call 00007FD2788507CBh
                                                                                                                                mov dword ptr [esi], 1003B404h
                                                                                                                                mov eax, esi
                                                                                                                                pop esi
                                                                                                                                pop ebp
                                                                                                                                retn 0004h
                                                                                                                                and dword ptr [ecx+04h], 00000000h
                                                                                                                                mov eax, ecx
                                                                                                                                and dword ptr [ecx+08h], 00000000h
                                                                                                                                mov dword ptr [ecx+04h], 1003B40Ch
                                                                                                                                mov dword ptr [ecx], 1003B404h
                                                                                                                                ret
                                                                                                                                push ebp
                                                                                                                                mov ebp, esp
                                                                                                                                push esi
                                                                                                                                mov esi, ecx
                                                                                                                                lea eax, dword ptr [esi+04h]
                                                                                                                                mov dword ptr [esi], 1003B3DCh
                                                                                                                                push eax
                                                                                                                                call 00007FD2788680C6h
                                                                                                                                test byte ptr [ebp+08h], 00000001h
                                                                                                                                pop ecx
                                                                                                                                je 00007FD2788649BCh
                                                                                                                                push 0000000Ch
                                                                                                                                push esi
                                                                                                                                call 00007FD278863E3Dh
                                                                                                                                pop ecx
                                                                                                                                pop ecx
                                                                                                                                mov eax, esi
                                                                                                                                pop esi
                                                                                                                                pop ebp
                                                                                                                                retn 0004h
                                                                                                                                push ebp
                                                                                                                                mov ebp, esp
                                                                                                                                sub esp, 0Ch
                                                                                                                                lea ecx, dword ptr [ebp-0Ch]
                                                                                                                                call 00007FD27886492Fh
                                                                                                                                push 0004CC44h

                                                                                                                                Data Directories

                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x4d7100x5c0.rdata
                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x4dcd00xb4.rdata
                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x520000x24410.rsrc
                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x770000x33a0.reloc
                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x498f80x40.rdata
                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x3b0000x2f8.rdata
                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                Sections

                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                .text0x10000x3930c0x39400False0.530729735262data6.66187646144IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                .rdata0x3b0000x13cfe0x13e00False0.464512087264data5.41556152438IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                .data0x4f0000x252c0x1800False0.223795572917data3.845062089IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                .rsrc0x520000x244100x24600False0.818527169244data7.74945542405IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                .reloc0x770000x33a00x3400False0.71484375data6.58405020621IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                Resources

                                                                                                                                NameRVASizeTypeLanguageCountry
                                                                                                                                REGISTRY0x758d00x98ASCII text, with CRLF line terminatorsEnglishUnited States
                                                                                                                                REGISTRY0x759680x260ASCII text, with CRLF line terminatorsEnglishUnited States
                                                                                                                                TYPELIB0x75bc80x69cdataEnglishUnited States
                                                                                                                                RT_BITMAP0x522200x23467dataEnglishUnited States
                                                                                                                                RT_STRING0x762680x26dataEnglishUnited States
                                                                                                                                RT_VERSION0x756880x244dataEnglishUnited States
                                                                                                                                RT_MANIFEST0x762900x17dXML 1.0 document textEnglishUnited States

                                                                                                                                Imports

                                                                                                                                DLLImport
                                                                                                                                pdh.dllPdhGetFormattedCounterValue, PdhCollectQueryData, PdhCloseQuery, PdhRemoveCounter, PdhAddCounterW, PdhValidatePathW, PdhOpenQueryW
                                                                                                                                KERNEL32.dllGetErrorMode, GetThreadErrorMode, GetCommandLineA, GetEnvironmentStringsW, GetCurrentProcessorNumber, IsDebuggerPresent, GetTickCount64, AreFileApisANSI, GetOEMCP, GetCommandLineW, TlsAlloc, GetCurrentThreadId, GetSystemDefaultUILanguage, MultiByteToWideChar, RaiseException, GetLastError, InitializeCriticalSectionEx, DeleteCriticalSection, DecodePointer, EnterCriticalSection, LeaveCriticalSection, LoadResource, SizeofResource, FindResourceW, GetModuleHandleW, GetProcAddress, LoadLibraryExW, GetModuleFileNameW, lstrcmpiW, FreeLibrary, MulDiv, SetLastError, TerminateProcess, SetFilePointerEx, ReadConsoleW, GetConsoleMode, GetConsoleCP, WriteFile, GetCurrentThread, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, FreeEnvironmentStringsW, IsValidCodePage, FindFirstFileExA, HeapReAlloc, HeapSize, GetFileType, GetStdHandle, GetModuleFileNameA, GetModuleHandleExW, ExitProcess, InterlockedFlushSList, RtlUnwind, LocalFree, LoadLibraryExA, VirtualFree, VirtualAlloc, FlushInstructionCache, InterlockedPushEntrySList, InterlockedPopEntrySList, HeapFree, HeapAlloc, OutputDebugStringW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, TlsFree, TlsSetValue, TlsGetValue, InitializeCriticalSectionAndSpinCount, EncodePointer, GetSystemDefaultLangID, GetACP, SwitchToThread, IsProcessorFeaturePresent, UnregisterApplicationRestart, IsSystemResumeAutomatic, GetProcessHeap, CloseHandle, ReadFile, FindClose, GetUserDefaultUILanguage, FindNextFileA, SetStdHandle, WriteConsoleW, CreateFileW, GetCurrentProcess, SetUnhandledExceptionFilter, FlushFileBuffers, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentProcessId, QueryPerformanceCounter, GetStartupInfoW, UnhandledExceptionFilter
                                                                                                                                USER32.dllGetMenuCheckMarkDimensions, GetForegroundWindow, AnyPopup, CloseClipboard, GetClipboardViewer, GetWindowLongW, GetKBCodePage, CallWindowProcW, DrawTextW, InsertMenuW, RegisterClassExW, LoadCursorW, GetClassInfoExW, DefWindowProcW, IsWindow, GetParent, SetTimer, ShowWindow, InvalidateRect, ReleaseDC, GetDC, EndPaint, BeginPaint, ClientToScreen, GetClientRect, SendMessageW, DestroyWindow, CreateWindowExW, SetWindowLongW, CharNextW, UnregisterClassW, DestroyCaret, EmptyClipboard, GetDialogBaseUnits, GetShellWindow, GetOpenClipboardWindow
                                                                                                                                GDI32.dllSetBkMode, SetTextColor, CreateFontW, DeleteDC, BitBlt, CreateCompatibleDC, CreateCompatibleBitmap, DeleteObject, SelectObject, GetDeviceCaps, GetTextMetricsW
                                                                                                                                ADVAPI32.dllRegDeleteValueW, RegQueryInfoKeyW, RegSetValueExW, RegEnumKeyExW, RegCloseKey, RegDeleteKeyW, RegCreateKeyExW, RegOpenKeyExW
                                                                                                                                SHELL32.dllShellExecuteW, SHGetFolderPathW
                                                                                                                                ole32.dllCoFreeUnusedLibraries, CoUninitialize, CoCreateInstance, CoInitialize, OleRun, CoTaskMemAlloc, CoTaskMemRealloc, CoTaskMemFree
                                                                                                                                OLEAUT32.dllLoadRegTypeLib, SysAllocStringLen, SysFreeString, SysAllocString, SysStringLen, VarBstrCmp, VariantInit, VariantClear, VariantCopy, VariantChangeType, VarUI4FromStr, LoadTypeLib

                                                                                                                                Exports

                                                                                                                                NameOrdinalAddress
                                                                                                                                Control_RunDLL10x10001200
                                                                                                                                abziuleoxsborpb20x10001570
                                                                                                                                aejkroaebsbxdnkhb30x10001430
                                                                                                                                amgshvm40x10001340
                                                                                                                                bjtmgxqrshhlmbh50x10001320
                                                                                                                                ciqnowraabbra60x100013e0
                                                                                                                                cmiqzvq70x10001450
                                                                                                                                crprctzst80x10001360
                                                                                                                                cwiynhgawsfh90x100012f0
                                                                                                                                dhfyfrdbpo100x100012c0
                                                                                                                                dvmyigplnf110x10001480
                                                                                                                                erlpzdqhrlacaxnda120x10001440
                                                                                                                                euduauchas130x100014b0
                                                                                                                                fjorczheej140x10001390
                                                                                                                                fqtruzg150x100014c0
                                                                                                                                fzxvmnutn160x100014d0
                                                                                                                                ghrfpkc170x10001280
                                                                                                                                ghrmmrvezk180x10001530
                                                                                                                                hjbgnfzrilso190x100015d0
                                                                                                                                hvbblczdjkdx200x10001310
                                                                                                                                ifsmmtyjag210x10001310
                                                                                                                                jbgiwxjtyvvaxuitk220x10001410
                                                                                                                                jhjtpuvq230x10001260
                                                                                                                                jovvzziqyeznb240x100015a0
                                                                                                                                kbkufclc250x100014e0
                                                                                                                                kxpdpqduritjwfv260x10001560
                                                                                                                                lfirwsslmgzmfg270x10001330
                                                                                                                                mdaepyqwwigtzy280x10001500
                                                                                                                                meqzizr290x10001350
                                                                                                                                mmykgdmikdunzlhbb300x10001520
                                                                                                                                mxqliouinhlsqvw310x100013b0
                                                                                                                                mzxbssgzqetjmifs320x10001490
                                                                                                                                ndzjkcaftnq330x10001510
                                                                                                                                nfwlevhbaunupm340x100013c0
                                                                                                                                njhdfbkyxqtwtcvsa350x10001300
                                                                                                                                nmzgdiluzbemovs360x10001400
                                                                                                                                obsypougzzamg370x100013d0
                                                                                                                                oqzjqpsxbjh380x100012d0
                                                                                                                                ormmaboaiinycs390x10001230
                                                                                                                                pejacnmfhwmlhqc400x10001340
                                                                                                                                pzgjkxaqryk410x100015b0
                                                                                                                                qlsxhmuh420x10001240
                                                                                                                                rykrtqanuszehh430x10001550
                                                                                                                                sktlwejyhkbweva440x100014a0
                                                                                                                                sromrbjt450x10001460
                                                                                                                                txrogplicljtdlky460x100012e0
                                                                                                                                tywxzfemhfuvwwqtq470x10001270
                                                                                                                                ukeirvjwemstdk480x10001250
                                                                                                                                usfroye490x10001370
                                                                                                                                varapmou500x100013a0
                                                                                                                                vjfbgya510x100015c0
                                                                                                                                vpzxnmg520x10001590
                                                                                                                                wniijfgeibtaumvma530x100014f0
                                                                                                                                wtkpnwha540x10001470
                                                                                                                                xkdmdojzjns550x10001420
                                                                                                                                yumftkya560x100012a0
                                                                                                                                ywkvngmohrw570x10001380
                                                                                                                                ywwwgcpzcec580x10001580
                                                                                                                                yyldomdvsymz590x10001290
                                                                                                                                zdcdzgtngf600x100012b0
                                                                                                                                zwxnlwalmcbgmt610x100013f0
                                                                                                                                zzvywuxdvuecsm620x10001540

                                                                                                                                Version Infos

                                                                                                                                DescriptionData
                                                                                                                                InternalNameErulfuaekg.dll
                                                                                                                                FileVersion3.3.7.9
                                                                                                                                ProductNameErulfuaekg
                                                                                                                                ProductVersion3.3.7.9
                                                                                                                                FileDescriptionasdzxcqwe123
                                                                                                                                OriginalFilenameErulfuaekg.dll
                                                                                                                                Translation0x0408 0x04e4

                                                                                                                                Possible Origin

                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                EnglishUnited States

                                                                                                                                Network Behavior

                                                                                                                                Snort IDS Alerts

                                                                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                11/19/21-00:57:47.925302TCP2404334ET CNC Feodo Tracker Reported CnC Server TCP group 1849764443192.168.2.751.178.61.60

                                                                                                                                Network Port Distribution

                                                                                                                                TCP Packets

                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                Nov 19, 2021 00:57:47.925302029 CET49764443192.168.2.751.178.61.60
                                                                                                                                Nov 19, 2021 00:57:47.925386906 CET4434976451.178.61.60192.168.2.7
                                                                                                                                Nov 19, 2021 00:57:47.925508022 CET49764443192.168.2.751.178.61.60
                                                                                                                                Nov 19, 2021 00:57:47.951344967 CET49764443192.168.2.751.178.61.60
                                                                                                                                Nov 19, 2021 00:57:47.951391935 CET4434976451.178.61.60192.168.2.7
                                                                                                                                Nov 19, 2021 00:57:48.086988926 CET4434976451.178.61.60192.168.2.7
                                                                                                                                Nov 19, 2021 00:57:48.087169886 CET49764443192.168.2.751.178.61.60
                                                                                                                                Nov 19, 2021 00:57:49.134778976 CET49764443192.168.2.751.178.61.60
                                                                                                                                Nov 19, 2021 00:57:49.134815931 CET4434976451.178.61.60192.168.2.7
                                                                                                                                Nov 19, 2021 00:57:49.135456085 CET4434976451.178.61.60192.168.2.7
                                                                                                                                Nov 19, 2021 00:57:49.135540009 CET49764443192.168.2.751.178.61.60
                                                                                                                                Nov 19, 2021 00:57:49.148952961 CET49764443192.168.2.751.178.61.60
                                                                                                                                Nov 19, 2021 00:57:49.196868896 CET4434976451.178.61.60192.168.2.7
                                                                                                                                Nov 19, 2021 00:57:49.438076019 CET4434976451.178.61.60192.168.2.7
                                                                                                                                Nov 19, 2021 00:57:49.438138962 CET4434976451.178.61.60192.168.2.7
                                                                                                                                Nov 19, 2021 00:57:49.438141108 CET49764443192.168.2.751.178.61.60
                                                                                                                                Nov 19, 2021 00:57:49.438242912 CET49764443192.168.2.751.178.61.60
                                                                                                                                Nov 19, 2021 00:57:49.439479113 CET49764443192.168.2.751.178.61.60
                                                                                                                                Nov 19, 2021 00:57:49.439496994 CET4434976451.178.61.60192.168.2.7

                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                • 51.178.61.60

                                                                                                                                HTTPS Proxied Packets

                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                0192.168.2.74976451.178.61.60443C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                2021-11-18 23:57:49 UTC0OUTGET /ixufuEvpOVRaGsMcwVdxxNdVEbwDu HTTP/1.1
                                                                                                                                Cookie: aCktUHAkMKD=TfyHqYLXTgYzdruEwNizDAfbCqZTgvqsH66CTQb1ytbBq80BnlqrtzN99nJXwaPo9lxyz/uAmFRullUIX0ZowWZs9CNvL/wvwz9s0Lyk9stGcsTkt35/6+ScCB6oHb65u6YN4GepkyMPsVCOcYLehsOLK7Ic3r5z0nvRBBYP/pa0Ftru5H1By1CJJuTLx5srUGF+6FxghaKUJmk9h02X8MAniWAG0gALx5fIxZLs/7s3UdtcvXiWG9uyM0dj8j6ddiLVwX64otV1KIALayfbuVeEUs4Up9/eppFXVuKG+YmasQ==
                                                                                                                                Host: 51.178.61.60
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Cache-Control: no-cache
                                                                                                                                2021-11-18 23:57:49 UTC0INHTTP/1.1 200 OK
                                                                                                                                Server: nginx
                                                                                                                                Date: Thu, 18 Nov 2021 23:57:49 GMT
                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                Connection: close
                                                                                                                                2021-11-18 23:57:49 UTC0INData Raw: 32 64 62 0d 0a 09 48 48 16 19 48 fb 82 d7 dc 59 4a aa e8 31 16 04 97 01 9c 97 e8 c7 92 6c 50 b3 73 c7 95 0d 3a 3f 4c 6e 4e 6f a1 4a dd d4 e1 c4 34 44 e7 f2 cd 66 e5 32 a6 97 ca b4 64 90 75 c2 28 48 50 f2 57 40 c5 dc d8 d6 9b a1 14 1c c0 98 25 cf 6c 2d f9 ec bb 4c 1b 61 f9 85 88 bc d6 94 9e c5 4a 76 c1 34 86 65 00 8a a3 0e 31 e1 8d 03 1d 4a ff 68 ba 3d c3 6e b0 5a 63 2c 98 3e 94 35 96 31 78 ab 88 68 e6 85 86 96 16 de c0 cc b9 2c 32 29 62 11 72 1d 7e b0 ac 9f 33 85 10 3e b9 2f df e6 78 ff db c4 0f d9 0c 49 c6 0b 76 54 67 3a 72 be 9d 8f 0f 3e 6a 6b 4e 71 2b 6c b7 7a e2 28 16 14 b7 70 49 1a 86 1d c7 5c a7 2d 4f 33 6e 01 43 dd 2b 28 ac 77 fe b1 70 40 51 80 83 e0 bb 91 98 89 22 f6 4e 72 f7 72 c2 62 43 4e 80 14 6f fe a5 27 16 c6 b6 d7 03 3a a0 25 0f 15 79 1f 18
                                                                                                                                Data Ascii: 2dbHHHYJ1lPs:?LnNoJ4Df2du(HPW@%l-LaJv4e1Jh=nZc,>51xh,2)br~3>/xIvTg:r>jkNq+lz(pI\-O3nC+(wp@Q"NrrbCNo':%y


                                                                                                                                Code Manipulations

                                                                                                                                Statistics

                                                                                                                                Behavior

                                                                                                                                Click to jump to process

                                                                                                                                System Behavior

                                                                                                                                General

                                                                                                                                Start time:00:56:19
                                                                                                                                Start date:19/11/2021
                                                                                                                                Path:C:\Windows\System32\loaddll32.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:loaddll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll"
                                                                                                                                Imagebase:0x1090000
                                                                                                                                File size:893440 bytes
                                                                                                                                MD5 hash:72FCD8FB0ADC38ED9050569AD673650E
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000001.00000002.352423510.00000000008EB000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                Reputation:high

                                                                                                                                General

                                                                                                                                Start time:00:56:20
                                                                                                                                Start date:19/11/2021
                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",#1
                                                                                                                                Imagebase:0x870000
                                                                                                                                File size:232960 bytes
                                                                                                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high

                                                                                                                                General

                                                                                                                                Start time:00:56:20
                                                                                                                                Start date:19/11/2021
                                                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:rundll32.exe C:\Users\user\Desktop\FIyE6huzxV.dll,Control_RunDLL
                                                                                                                                Imagebase:0x3e0000
                                                                                                                                File size:61952 bytes
                                                                                                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.351034288.0000000003565000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                Reputation:high

                                                                                                                                General

                                                                                                                                Start time:00:56:20
                                                                                                                                Start date:19/11/2021
                                                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",#1
                                                                                                                                Imagebase:0x3e0000
                                                                                                                                File size:61952 bytes
                                                                                                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.351194213.0000000002A3A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                Reputation:high

                                                                                                                                General

                                                                                                                                Start time:00:56:25
                                                                                                                                Start date:19/11/2021
                                                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:rundll32.exe C:\Users\user\Desktop\FIyE6huzxV.dll,abziuleoxsborpb
                                                                                                                                Imagebase:0x3e0000
                                                                                                                                File size:61952 bytes
                                                                                                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.350213708.0000000002E7A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                Reputation:high

                                                                                                                                General

                                                                                                                                Start time:00:56:25
                                                                                                                                Start date:19/11/2021
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                Imagebase:0x7ff641cd0000
                                                                                                                                File size:51288 bytes
                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high

                                                                                                                                General

                                                                                                                                Start time:00:56:29
                                                                                                                                Start date:19/11/2021
                                                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:rundll32.exe C:\Users\user\Desktop\FIyE6huzxV.dll,aejkroaebsbxdnkhb
                                                                                                                                Imagebase:0x3e0000
                                                                                                                                File size:61952 bytes
                                                                                                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.352676760.00000000034EA000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                Reputation:high

                                                                                                                                General

                                                                                                                                Start time:00:56:34
                                                                                                                                Start date:19/11/2021
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                                                                Imagebase:0x7ff641cd0000
                                                                                                                                File size:51288 bytes
                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high

                                                                                                                                General

                                                                                                                                Start time:00:56:50
                                                                                                                                Start date:19/11/2021
                                                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL
                                                                                                                                Imagebase:0x3e0000
                                                                                                                                File size:61952 bytes
                                                                                                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high

                                                                                                                                General

                                                                                                                                Start time:00:56:50
                                                                                                                                Start date:19/11/2021
                                                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Esbkudiqskvxrfyc\iscoyl.gsm",sRLFwndulUmgRNP
                                                                                                                                Imagebase:0x3e0000
                                                                                                                                File size:61952 bytes
                                                                                                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.377422235.00000000030DA000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                Reputation:high

                                                                                                                                General

                                                                                                                                Start time:00:56:51
                                                                                                                                Start date:19/11/2021
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                                                                Imagebase:0x7ff641cd0000
                                                                                                                                File size:51288 bytes
                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                General

                                                                                                                                Start time:00:56:59
                                                                                                                                Start date:19/11/2021
                                                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL
                                                                                                                                Imagebase:0x3e0000
                                                                                                                                File size:61952 bytes
                                                                                                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                General

                                                                                                                                Start time:00:57:06
                                                                                                                                Start date:19/11/2021
                                                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL
                                                                                                                                Imagebase:0x3e0000
                                                                                                                                File size:61952 bytes
                                                                                                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                General

                                                                                                                                Start time:00:57:07
                                                                                                                                Start date:19/11/2021
                                                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\FIyE6huzxV.dll",Control_RunDLL
                                                                                                                                Imagebase:0x3e0000
                                                                                                                                File size:61952 bytes
                                                                                                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                General

                                                                                                                                Start time:00:57:07
                                                                                                                                Start date:19/11/2021
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                                                Imagebase:0x7ff641cd0000
                                                                                                                                File size:51288 bytes
                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                General

                                                                                                                                Start time:00:57:14
                                                                                                                                Start date:19/11/2021
                                                                                                                                Path:C:\Windows\System32\SgrmBroker.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                                                                Imagebase:0x7ff6de5a0000
                                                                                                                                File size:163336 bytes
                                                                                                                                MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                General

                                                                                                                                Start time:00:57:15
                                                                                                                                Start date:19/11/2021
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                                                                Imagebase:0x7ff641cd0000
                                                                                                                                File size:51288 bytes
                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                General

                                                                                                                                Start time:00:57:18
                                                                                                                                Start date:19/11/2021
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                Imagebase:0x7ff641cd0000
                                                                                                                                File size:51288 bytes
                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                General

                                                                                                                                Start time:00:57:19
                                                                                                                                Start date:19/11/2021
                                                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Esbkudiqskvxrfyc\iscoyl.gsm",Control_RunDLL
                                                                                                                                Imagebase:0x3e0000
                                                                                                                                File size:61952 bytes
                                                                                                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000013.00000002.773455424.0000000003285000.00000004.00000020.sdmp, Author: Joe Security

                                                                                                                                General

                                                                                                                                Start time:00:57:53
                                                                                                                                Start date:19/11/2021
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                Imagebase:0x7ff641cd0000
                                                                                                                                File size:51288 bytes
                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                General

                                                                                                                                Start time:00:58:14
                                                                                                                                Start date:19/11/2021
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                Imagebase:0x7ff641cd0000
                                                                                                                                File size:51288 bytes
                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                General

                                                                                                                                Start time:00:58:16
                                                                                                                                Start date:19/11/2021
                                                                                                                                Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                                                                Imagebase:0x7ff719940000
                                                                                                                                File size:455656 bytes
                                                                                                                                MD5 hash:A267555174BFA53844371226F482B86B
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                General

                                                                                                                                Start time:00:58:16
                                                                                                                                Start date:19/11/2021
                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                Imagebase:0x7ff774ee0000
                                                                                                                                File size:625664 bytes
                                                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                General

                                                                                                                                Start time:00:58:17
                                                                                                                                Start date:19/11/2021
                                                                                                                                Path:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                                                                                                                                Imagebase:0x7ff772bb0000
                                                                                                                                File size:36864 bytes
                                                                                                                                MD5 hash:02BA81746B929ECC9DB6665589B68335
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                General

                                                                                                                                Start time:00:58:29
                                                                                                                                Start date:19/11/2021
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                Imagebase:0x7ff641cd0000
                                                                                                                                File size:51288 bytes
                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                Disassembly

                                                                                                                                Code Analysis

                                                                                                                                Reset < >