Loading ...

Play interactive tourEdit tour

Windows Analysis Report dUGnMYeP1C

Overview

General Information

Sample Name:dUGnMYeP1C (renamed file extension from none to dll)
Analysis ID:524858
MD5:9369750d8d21d8fcb1b35365f232625f
SHA1:30902a381e823450780e0efbbdc4d4130a032e20
SHA256:8d91807aa27ee93694388b7cbfa9d74a3d93407036650cdd29631360b675853f
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Multi AV Scanner detection for domain / URL
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6480 cmdline: loaddll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 6492 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6468 cmdline: rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 1688 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6508 cmdline: rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 1320 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Syakyqcviop\airusfmukngvit.rau",grPefdKmoEDD MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 4928 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Syakyqcviop\airusfmukngvit.rau",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6544 cmdline: rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,abziuleoxsborpb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 3040 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6564 cmdline: rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,aejkroaebsbxdnkhb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 4596 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 1848 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 7108 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4936 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6552 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7128 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.728810783.0000000003565000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000009.00000002.777849090.000000000324A000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000000.00000002.765628478.000000000166D000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000007.00000002.765555837.000000000089A000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000003.00000002.726530504.00000000009CA000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.rundll32.exe.7b43e8.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              3.2.rundll32.exe.9e4140.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                7.2.rundll32.exe.8b4350.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  9.2.rundll32.exe.3264268.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    7.2.rundll32.exe.8b4350.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 5 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Emotet RunDLL32 Process CreationShow sources
                      Source: Process startedAuthor: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",#1, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 6468, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL, ProcessId: 1688

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 6.2.rundll32.exe.7b43e8.0.raw.unpackMalware Configuration Extractor: Emotet {"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: dUGnMYeP1C.dllVirustotal: Detection: 19%Perma Link
                      Source: dUGnMYeP1C.dllReversingLabs: Detection: 22%
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: https://51.178.61.60/Virustotal: Detection: 9%Perma Link
                      Source: dUGnMYeP1C.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.4:49763 version: TLS 1.2
                      Source: dUGnMYeP1C.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4DD1EE FindFirstFileExA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4DD1EE FindFirstFileExA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031E1A80 FindFirstFileW,

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.4:49763 -> 51.178.61.60:443
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 51.178.61.60 187
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 51.178.61.60:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 45.79.33.48:8080
                      Source: Malware configuration extractorIPs: 196.44.98.190:8080
                      Source: Malware configuration extractorIPs: 177.72.80.14:7080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.169.10:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: EcobandGH EcobandGH
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: GET /InTtBbcviygntftqUxlvTZyNQIlFMYYuphsKApKnjhvMfoEmipIwgU HTTP/1.1Cookie: sbhozJBLsB=GBk0p7+mkeI5rWSXKi9+NkbuDAN7QDaXmyUi/sYe1oQpQspAP+UN+UaybMShDVRbP1B8IvhSKCUHJAYRRtEALN4oFplmYFQ82ingNRD/p7AiYoN6Z4om86TaWhNhyc2E6tH4MfN2LDyXUVu/1idF9te74dCx3ont9eszJJ5RNWPaX46p7K8F+cIzpv+J5OvQCSgHYYgi5GVms5sQuAEbCJ7NsR2cjbUSKQAbd9tLgWFOMQ==Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 196.44.98.190 196.44.98.190
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: svchost.exe, 00000019.00000003.962071156.000001FFDD78F000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000019.00000003.962071156.000001FFDD78F000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000019.00000003.962101432.000001FFDD7A0000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z||.||2bbf585d-742f-4e5f-bf99-34064e28fbbf||1152921505694183347||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 00000019.00000003.962101432.000001FFDD7A0000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z||.||2bbf585d-742f-4e5f-bf99-34064e28fbbf||1152921505694183347||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: rundll32.exe, 0000000E.00000003.836491061.0000000003666000.00000004.00000001.sdmp, svchost.exe, 00000019.00000002.978146496.000001FFDD700000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000019.00000002.978005532.000001FFDD0EF000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 00000019.00000003.958307796.000001FFDD7B0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958232168.000001FFDD76D000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958252571.000001FFDD78F000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: rundll32.exe, 0000000E.00000002.1180973185.000000000361A000.00000004.00000020.sdmpString found in binary or memory: https://51.178.61.60/
                      Source: rundll32.exe, 0000000E.00000002.1181015282.0000000003648000.00000004.00000001.sdmpString found in binary or memory: https://51.178.61.60/InTtBbcviygntftqUxlvTZyNQIlFMYYuphsKApKnjhvMfoEmipIwgU
                      Source: rundll32.exe, 0000000E.00000002.1180973185.000000000361A000.00000004.00000020.sdmpString found in binary or memory: https://51.178.61.60/InTtBbcviygntftqUxlvTZyNQIlFMYYuphsKApKnjhvMfoEmipIwgUC
                      Source: svchost.exe, 00000019.00000003.958307796.000001FFDD7B0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958232168.000001FFDD76D000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958252571.000001FFDD78F000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000019.00000003.958307796.000001FFDD7B0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958232168.000001FFDD76D000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958252571.000001FFDD78F000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000019.00000003.958307796.000001FFDD7B0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958232168.000001FFDD76D000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958252571.000001FFDD78F000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000019.00000003.959252620.000001FFDD78F000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/
                      Source: svchost.exe, 00000019.00000003.959264730.000001FFDD7A0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.959252620.000001FFDD78F000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031F1027 InternetReadFile,
                      Source: global trafficHTTP traffic detected: GET /InTtBbcviygntftqUxlvTZyNQIlFMYYuphsKApKnjhvMfoEmipIwgU HTTP/1.1Cookie: sbhozJBLsB=GBk0p7+mkeI5rWSXKi9+NkbuDAN7QDaXmyUi/sYe1oQpQspAP+UN+UaybMShDVRbP1B8IvhSKCUHJAYRRtEALN4oFplmYFQ82ingNRD/p7AiYoN6Z4om86TaWhNhyc2E6tH4MfN2LDyXUVu/1idF9te74dCx3ont9eszJJ5RNWPaX46p7K8F+cIzpv+J5OvQCSgHYYgi5GVms5sQuAEbCJ7NsR2cjbUSKQAbd9tLgWFOMQ==Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.4:49763 version: TLS 1.2
                      Source: loaddll32.exe, 00000000.00000002.765596973.000000000164B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B5EE0 GetClipboardViewer,GetClipboardViewer,GetSystemDefaultLangID,GetOpenClipboardWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetCurrentThread,GetForegroundWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,AnyPopup,GetUserDefaultUILanguage,GetUserDefaultUILanguage,GetCurrentThread,GetCurrentThread,GetErrorMode,GetErrorMode,GetThreadErrorMode,

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 6.2.rundll32.exe.7b43e8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.9e4140.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.8b4350.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.3264268.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.8b4350.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.7b43e8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.3264268.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.35e4730.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.9e4140.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.35e4730.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.728810783.0000000003565000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.777849090.000000000324A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.765628478.000000000166D000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.765555837.000000000089A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.726530504.00000000009CA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.753626316.000000000079A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.1180916673.00000000035CA000.00000004.00000020.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: dUGnMYeP1C.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Syakyqcviop\airusfmukngvit.rau:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Syakyqcviop\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F43B3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FCAA8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01401343
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E6B25
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E5923
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E251C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FFD10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E2309
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E3502
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F577E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F1F6B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F056A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E3F5C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013EC158
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0140292B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FF14D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01400B34
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E3345
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014025C3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013EBFB6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FB1B5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F7BB2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F4BAA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F2FA2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F9DA1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FD99A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FB397
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013EFD91
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E4F8E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E758F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014003F1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F4D8D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E9384
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013EC5FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01401193
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E55E8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FBFE8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013EA3DF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E6FC4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FF83F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013EEC27
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E9E22
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013ED223
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F5220
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E441E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013EF41F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013EE21C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F1C10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E1A0A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E220A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E8C09
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E4C00
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E1C76
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F406E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E9A57
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E2654
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013EA048
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E2A46
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E3845
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01401A3C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E2043
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FE441
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F98BD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F90BA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E5AB2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013EDAAE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014008D1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F44AA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FD6A7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F78A5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013EFEA0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FAC9B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013EAC95
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FD091
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E3C91
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013ECC8D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F4E8A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F748A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E7283
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01400687
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E30F6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FDEF4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FA8F0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FAEEB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FECE3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F0ADE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FCCD4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013F7ED1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FBEC9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B6620
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B5730
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B5EE0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4DC6FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4BF700
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4D3780
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4CDC5D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4C1CD0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4CDA2D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B2A80
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4CA29D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4E3074
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4E1929
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4B6620
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4B5730
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4B5EE0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4DC6FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4BF700
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4D3780
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4CDC5D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4C1CD0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4CDA2D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4B2A80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4CA29D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4E3074
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4E1929
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFCAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF43B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFAEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE30F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFDEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFA8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00F008D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFBEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF0ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFCCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF7ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EEDAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF44AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFD6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF78A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EEFEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF98BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF90BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE5AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EECC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF4E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE7283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFAC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00F00687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EEAC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFD091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE3C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE1C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EEA048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE2A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE3845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE2043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFE441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE9A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE2654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EEEC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE9E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00F01A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EED223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF5220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFF83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE1A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE8C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE4C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EEF41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EEE21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF1C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00F003F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE55E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFBFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EEC5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE6FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EEA3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00F025C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF4BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF2FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF9DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EEBFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFB1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF7BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE4F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF4D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00F01193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE9384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFD99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFB397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EEFD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF1F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EF577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFF14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE3345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE3F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00F01343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EEC158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00F00B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE6B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE5923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00F0292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE2309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE3502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFFD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009243B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00913C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00917283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00930687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00924E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00915AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009290BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009298BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009278A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009244AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091DAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009308D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00927ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00920ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092A8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009130F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00921C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091E21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091F41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00914C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00918C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00911A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00931A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00925220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091D223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00919E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00912654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00919A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00912043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00913845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00912A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091A048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00911C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091FD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00931193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092B397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092D99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00919384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00924D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00914F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00927BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092B1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091BFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00922FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00929DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00924BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091A3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009325C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00916FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009303F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091C5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009155E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092BFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092FD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00913502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00912309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00930B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00915923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00916B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0093292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0091C158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00913F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00931343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00913345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092F14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00921F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F943B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9A8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F830F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F90ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F97ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00FA08D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F990BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F998BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F85AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F944AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8DAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F978A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F83C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F94E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F87283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00FA0687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F81C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F82654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F89A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8A048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F82043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F83845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F82A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00FA1A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F95220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F89E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8D223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8E21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8F41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F91C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F88C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F81A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F84C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8C5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00FA03F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F855E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9BFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8A3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00FA25C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F86FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F97BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9B1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8BFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F94BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F99DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F92FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9D99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8FD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00FA1193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9B397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F94D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F84F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F89384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F91F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8C158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F83F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9F14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00FA1343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F83345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00FA0B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00FA292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F85923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F86B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F8251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9FD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F82309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F83502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031F0B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031E577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031D758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031D9384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031E4BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031E2FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031DC5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031D55E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031D441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031D220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031EF83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031DEC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031E5220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031D3845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031D2043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031DAC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031E748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031D5AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031E44AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031E78A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031F08D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031E7ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031EDEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031D30F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031EECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031D251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031EFD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031D2309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031D3502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031F292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031D6B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031D5923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031D3F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031DC158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031EF14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031D3345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031F1343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031E056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031E1F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031ED99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031EB397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031DFD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031F1193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031E4D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031D4F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031EB1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031DBFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031E7BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031E43B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031E9DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031DA3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031D6FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031F25C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031F03F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031EBFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031DE21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031DF41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031E1C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031D8C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031D1A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031D4C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031F1A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031DD223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031D9E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031D2654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031D9A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031DA048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031D2A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031EE441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031D1C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031E406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031EAC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031D3C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031ED091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031DCC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031E4E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031F0687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031D7283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031E98BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031E90BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031DDAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031ECAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031ED6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031DFEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031E0ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031ECCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031EBEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031EA8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031EAEEB
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E4C5BE0 appears 46 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E4C5BE0 appears 46 times
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B13F0 zwxnlwalmcbgmt,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4B13F0 zwxnlwalmcbgmt,
                      Source: dUGnMYeP1C.dllBinary or memory string: OriginalFilenameErulfuaekg.dll6 vs dUGnMYeP1C.dll
                      Source: dUGnMYeP1C.dllVirustotal: Detection: 19%
                      Source: dUGnMYeP1C.dllReversingLabs: Detection: 22%
                      Source: dUGnMYeP1C.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,Control_RunDLL
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,abziuleoxsborpb
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,aejkroaebsbxdnkhb
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Syakyqcviop\airusfmukngvit.rau",grPefdKmoEDD
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Syakyqcviop\airusfmukngvit.rau",Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,Control_RunDLL
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,abziuleoxsborpb
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,aejkroaebsbxdnkhb
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Syakyqcviop\airusfmukngvit.rau",grPefdKmoEDD
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Syakyqcviop\airusfmukngvit.rau",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                      Source: classification engineClassification label: mal100.troj.evad.winDLL@27/0@0/20
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4BBC70 SHGetFolderPathW,CoCreateInstance,
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031E1B54 CreateToolhelp32Snapshot,
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,Control_RunDLL
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4BEBD0 LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: dUGnMYeP1C.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: dUGnMYeP1C.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: dUGnMYeP1C.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: dUGnMYeP1C.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: dUGnMYeP1C.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: dUGnMYeP1C.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E1229 push eax; retf
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4C5C26 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4E8067 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4C5C26 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4E8067 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EE1229 push eax; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00911229 push eax; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F81229 push eax; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031D1229 push eax; retf
                      Source: dUGnMYeP1C.dllStatic PE information: real checksum: 0x81586 should be: 0x82f94
                      Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Syakyqcviop\airusfmukngvit.rauJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Syakyqcviop\airusfmukngvit.rau:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Tries to detect virtualization through RDTSC time measurementsShow sources
                      Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 000000006E4B6672 second address: 000000006E4B66A0 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007F75F4AB0AF1h 0x0000000a mov edi, 0C2869DAh 0x0000000f rdtscp
                      Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 000000006E4B8A23 second address: 000000006E4B8A36 instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007F75F4D5ACBEh 0x00000007 rdtscp
                      Source: C:\Windows\System32\loaddll32.exeRDTSC instruction interceptor: First address: 000000006E4B6672 second address: 000000006E4B66A0 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007F75F4AB0AF1h 0x0000000a mov edi, 0C2869DAh 0x0000000f rdtscp
                      Source: C:\Windows\System32\loaddll32.exeRDTSC instruction interceptor: First address: 000000006E4B8A23 second address: 000000006E4B8A36 instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007F75F4D5ACBEh 0x00000007 rdtscp
                      Source: C:\Windows\System32\svchost.exe TID: 5036Thread sleep time: -180000s >= -30000s
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B6620 rdtscp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4DD1EE FindFirstFileExA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4DD1EE FindFirstFileExA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031E1A80 FindFirstFileW,
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: rundll32.exe, 0000000E.00000002.1181015282.0000000003648000.00000004.00000001.sdmp, svchost.exe, 00000019.00000002.977901726.000001FFDD0A7000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: rundll32.exe, 00000002.00000003.713312417.00000000035AD000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: svchost.exe, 00000019.00000002.977772992.000001FFDD058000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWp94
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4CED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4C846D GetProcessHeap,HeapFree,InterlockedPushEntrySList,
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B6620 rdtscp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013FDE10 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B6620 mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4C849D mov esi, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B6510 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B8A50 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4D69AA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4B6620 mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4C849D mov esi, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4B6510 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4B8A50 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4D69AA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00EFDE10 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0092DE10 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00F9DE10 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_031EDE10 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4CED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4C5239 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4C5ABD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4CED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4C5239 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E4C5ABD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 51.178.61.60 187
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",#1
                      Source: rundll32.exe, 0000000E.00000002.1181270141.0000000003AC0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: rundll32.exe, 0000000E.00000002.1181270141.0000000003AC0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: rundll32.exe, 0000000E.00000002.1181270141.0000000003AC0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: rundll32.exe, 0000000E.00000002.1181270141.0000000003AC0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Windows\System32\loaddll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4C5916 cpuid
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4C5C3C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 6.2.rundll32.exe.7b43e8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.9e4140.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.8b4350.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.3264268.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.8b4350.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.7b43e8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.3264268.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.35e4730.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.9e4140.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.35e4730.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.728810783.0000000003565000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.777849090.000000000324A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.765628478.000000000166D000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.765555837.000000000089A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.726530504.00000000009CA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.753626316.000000000079A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.1180916673.00000000035CA000.00000004.00000020.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection112Masquerading2Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemorySecurity Software Discovery131Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection112Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsRundll321DCSyncSystem Information Discovery134Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 524858 Sample: dUGnMYeP1C Startdate: 19/11/2021 Architecture: WINDOWS Score: 100 41 85.214.67.203 STRATOSTRATOAGDE Germany 2->41 43 195.154.146.35 OnlineSASFR France 2->43 45 17 other IPs or domains 2->45 53 Sigma detected: Emotet RunDLL32 Process Creation 2->53 55 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->55 57 Multi AV Scanner detection for domain / URL 2->57 59 4 other signatures 2->59 9 loaddll32.exe 1 2->9         started        12 svchost.exe 1 2->12         started        14 svchost.exe 1 2->14         started        16 2 other processes 2->16 signatures3 process4 signatures5 63 Tries to detect virtualization through RDTSC time measurements 9->63 18 rundll32.exe 2 9->18         started        21 cmd.exe 1 9->21         started        23 rundll32.exe 9->23         started        25 2 other processes 9->25 process6 signatures7 49 Tries to detect virtualization through RDTSC time measurements 18->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->51 27 rundll32.exe 18->27         started        29 rundll32.exe 21->29         started        31 rundll32.exe 23->31         started        33 rundll32.exe 25->33         started        process8 process9 35 rundll32.exe 27->35         started        39 rundll32.exe 29->39         started        dnsIp10 47 51.178.61.60, 443, 49763 OVHFR France 35->47 61 System process connects to network (likely due to code injection or exploit) 35->61 signatures11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      dUGnMYeP1C.dll20%VirustotalBrowse
                      dUGnMYeP1C.dll23%ReversingLabsWin32.Infostealer.Convagent

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      2.2.rundll32.exe.3510000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      9.2.rundll32.exe.f80000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      0.2.loaddll32.exe.13e0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      14.2.rundll32.exe.31d0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      3.2.rundll32.exe.ee0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      7.2.rundll32.exe.7e0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      6.2.rundll32.exe.910000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      14.2.rundll32.exe.35e4730.1.unpack100%AviraHEUR/AGEN.1110387Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://www.tiktok.com/legal/report/0%Avira URL Cloudsafe
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      https://51.178.61.60/InTtBbcviygntftqUxlvTZyNQIlFMYYuphsKApKnjhvMfoEmipIwgU0%Avira URL Cloudsafe
                      http://crl.ver)0%Avira URL Cloudsafe
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      https://51.178.61.60/10%VirustotalBrowse
                      https://51.178.61.60/0%Avira URL Cloudsafe
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      https://51.178.61.60/InTtBbcviygntftqUxlvTZyNQIlFMYYuphsKApKnjhvMfoEmipIwgUC0%Avira URL Cloudsafe
                      http://help.disneyplus.com.0%URL Reputationsafe
                      https://disneyplus.com/legal.0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://51.178.61.60/InTtBbcviygntftqUxlvTZyNQIlFMYYuphsKApKnjhvMfoEmipIwgUtrue
                      • Avira URL Cloud: safe
                      unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://www.tiktok.com/legal/report/svchost.exe, 00000019.00000003.959252620.000001FFDD78F000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 00000019.00000003.958307796.000001FFDD7B0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958232168.000001FFDD76D000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958252571.000001FFDD78F000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://crl.ver)svchost.exe, 00000019.00000002.978005532.000001FFDD0EF000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      low
                      https://www.disneyplus.com/legal/privacy-policysvchost.exe, 00000019.00000003.958307796.000001FFDD7B0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958232168.000001FFDD76D000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958252571.000001FFDD78F000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://51.178.61.60/rundll32.exe, 0000000E.00000002.1180973185.000000000361A000.00000004.00000020.sdmptrue
                      • 10%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      unknown
                      https://www.tiktok.com/legal/report/feedbacksvchost.exe, 00000019.00000003.959264730.000001FFDD7A0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.959252620.000001FFDD78F000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://51.178.61.60/InTtBbcviygntftqUxlvTZyNQIlFMYYuphsKApKnjhvMfoEmipIwgUCrundll32.exe, 0000000E.00000002.1180973185.000000000361A000.00000004.00000020.sdmptrue
                      • Avira URL Cloud: safe
                      unknown
                      http://help.disneyplus.com.svchost.exe, 00000019.00000003.958307796.000001FFDD7B0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958232168.000001FFDD76D000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958252571.000001FFDD78F000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://disneyplus.com/legal.svchost.exe, 00000019.00000003.958307796.000001FFDD7B0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958232168.000001FFDD76D000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958252571.000001FFDD78F000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown

                      Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public

                      IPDomainCountryFlagASNASN NameMalicious
                      207.148.81.119
                      unknownUnited States
                      20473AS-CHOOPAUStrue
                      196.44.98.190
                      unknownGhana
                      327814EcobandGHtrue
                      78.46.73.125
                      unknownGermany
                      24940HETZNER-ASDEtrue
                      37.59.209.141
                      unknownFrance
                      16276OVHFRtrue
                      85.214.67.203
                      unknownGermany
                      6724STRATOSTRATOAGDEtrue
                      191.252.103.16
                      unknownBrazil
                      27715LocawebServicosdeInternetSABRtrue
                      45.79.33.48
                      unknownUnited States
                      63949LINODE-APLinodeLLCUStrue
                      54.37.228.122
                      unknownFrance
                      16276OVHFRtrue
                      185.148.169.10
                      unknownGermany
                      44780EVERSCALE-ASDEtrue
                      142.4.219.173
                      unknownCanada
                      16276OVHFRtrue
                      54.38.242.185
                      unknownFrance
                      16276OVHFRtrue
                      195.154.146.35
                      unknownFrance
                      12876OnlineSASFRtrue
                      195.77.239.39
                      unknownSpain
                      60493FICOSA-ASEStrue
                      78.47.204.80
                      unknownGermany
                      24940HETZNER-ASDEtrue
                      168.197.250.14
                      unknownArgentina
                      264776OmarAnselmoRipollTDCNETARtrue
                      51.178.61.60
                      unknownFrance
                      16276OVHFRtrue
                      177.72.80.14
                      unknownBrazil
                      262543NewLifeFibraBRtrue
                      66.42.57.149
                      unknownUnited States
                      20473AS-CHOOPAUStrue
                      37.44.244.177
                      unknownGermany
                      47583AS-HOSTINGERLTtrue
                      51.210.242.234
                      unknownFrance
                      16276OVHFRtrue

                      General Information

                      Joe Sandbox Version:34.0.0 Boulder Opal
                      Analysis ID:524858
                      Start date:19.11.2021
                      Start time:00:58:24
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 13m 28s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Sample file name:dUGnMYeP1C (renamed file extension from none to dll)
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:28
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.troj.evad.winDLL@27/0@0/20
                      EGA Information:Failed
                      HDC Information:
                      • Successful, ratio: 19.6% (good quality ratio 17.4%)
                      • Quality average: 68.6%
                      • Quality standard deviation: 30.8%
                      HCA Information:
                      • Successful, ratio: 81%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Override analysis time to 240s for rundll32
                      Warnings:
                      Show All
                      • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, backgroundTaskHost.exe, wuapihost.exe
                      • Excluded IPs from analysis (whitelisted): 20.54.110.249
                      • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, go.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                      • Not all processes where analyzed, report is missing behavior information
                      • Report creation exceeded maximum time and may have missing disassembly code information.
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      01:01:38API Interceptor8x Sleep call for process: svchost.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      207.148.81.1199fC0as7YLE.dllGet hashmaliciousBrowse
                        FIyE6huzxV.dllGet hashmaliciousBrowse
                          V0gZWRXv8d.dllGet hashmaliciousBrowse
                            t5EuQW2GUF.dllGet hashmaliciousBrowse
                              uh1WyesPlh.dllGet hashmaliciousBrowse
                                8rryPzJR1p.dllGet hashmaliciousBrowse
                                  a65FgjVus4.dllGet hashmaliciousBrowse
                                    bWjYh6H8wk.dllGet hashmaliciousBrowse
                                      ZJOHKItBoJ.dllGet hashmaliciousBrowse
                                        eyPPiz3W6u.dllGet hashmaliciousBrowse
                                          HjYSwxqyUn.dllGet hashmaliciousBrowse
                                            f47YPsvRI3.dllGet hashmaliciousBrowse
                                              2n64VXT08V.dllGet hashmaliciousBrowse
                                                qUr4bXsweR.dllGet hashmaliciousBrowse
                                                  52O6evfqQT.dllGet hashmaliciousBrowse
                                                    ONEitXKvz6.dllGet hashmaliciousBrowse
                                                      1w9i8K6AzWV5RmHTSn8.dllGet hashmaliciousBrowse
                                                        nXOpgPAbKC.dllGet hashmaliciousBrowse
                                                          yezVNLNobB.dllGet hashmaliciousBrowse
                                                            rRX4GBcJKK.dllGet hashmaliciousBrowse
                                                              196.44.98.1909fC0as7YLE.dllGet hashmaliciousBrowse
                                                                FIyE6huzxV.dllGet hashmaliciousBrowse
                                                                  V0gZWRXv8d.dllGet hashmaliciousBrowse
                                                                    t5EuQW2GUF.dllGet hashmaliciousBrowse
                                                                      uh1WyesPlh.dllGet hashmaliciousBrowse
                                                                        8rryPzJR1p.dllGet hashmaliciousBrowse
                                                                          a65FgjVus4.dllGet hashmaliciousBrowse
                                                                            bWjYh6H8wk.dllGet hashmaliciousBrowse
                                                                              ZJOHKItBoJ.dllGet hashmaliciousBrowse
                                                                                eyPPiz3W6u.dllGet hashmaliciousBrowse
                                                                                  HjYSwxqyUn.dllGet hashmaliciousBrowse
                                                                                    f47YPsvRI3.dllGet hashmaliciousBrowse
                                                                                      2n64VXT08V.dllGet hashmaliciousBrowse
                                                                                        qUr4bXsweR.dllGet hashmaliciousBrowse
                                                                                          52O6evfqQT.dllGet hashmaliciousBrowse
                                                                                            ONEitXKvz6.dllGet hashmaliciousBrowse
                                                                                              1w9i8K6AzWV5RmHTSn8.dllGet hashmaliciousBrowse
                                                                                                nXOpgPAbKC.dllGet hashmaliciousBrowse
                                                                                                  yezVNLNobB.dllGet hashmaliciousBrowse
                                                                                                    rRX4GBcJKK.dllGet hashmaliciousBrowse

                                                                                                      Domains

                                                                                                      No context

                                                                                                      ASN

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                      AS-CHOOPAUS9fC0as7YLE.dllGet hashmaliciousBrowse
                                                                                                      • 66.42.57.149
                                                                                                      FIyE6huzxV.dllGet hashmaliciousBrowse
                                                                                                      • 66.42.57.149
                                                                                                      V0gZWRXv8d.dllGet hashmaliciousBrowse
                                                                                                      • 66.42.57.149
                                                                                                      t5EuQW2GUF.dllGet hashmaliciousBrowse
                                                                                                      • 66.42.57.149
                                                                                                      uh1WyesPlh.dllGet hashmaliciousBrowse
                                                                                                      • 66.42.57.149
                                                                                                      8rryPzJR1p.dllGet hashmaliciousBrowse
                                                                                                      • 66.42.57.149
                                                                                                      a65FgjVus4.dllGet hashmaliciousBrowse
                                                                                                      • 66.42.57.149
                                                                                                      bWjYh6H8wk.dllGet hashmaliciousBrowse
                                                                                                      • 66.42.57.149
                                                                                                      ZJOHKItBoJ.dllGet hashmaliciousBrowse
                                                                                                      • 66.42.57.149
                                                                                                      eyPPiz3W6u.dllGet hashmaliciousBrowse
                                                                                                      • 66.42.57.149
                                                                                                      HjYSwxqyUn.dllGet hashmaliciousBrowse
                                                                                                      • 66.42.57.149
                                                                                                      f47YPsvRI3.dllGet hashmaliciousBrowse
                                                                                                      • 66.42.57.149
                                                                                                      2n64VXT08V.dllGet hashmaliciousBrowse
                                                                                                      • 66.42.57.149
                                                                                                      qUr4bXsweR.dllGet hashmaliciousBrowse
                                                                                                      • 66.42.57.149
                                                                                                      52O6evfqQT.dllGet hashmaliciousBrowse
                                                                                                      • 66.42.57.149
                                                                                                      ONEitXKvz6.dllGet hashmaliciousBrowse
                                                                                                      • 66.42.57.149
                                                                                                      F2433DFBA69148A0C3A5A5951D360B6C3C045090DE06F.exeGet hashmaliciousBrowse
                                                                                                      • 149.28.253.196
                                                                                                      jQ32XS2Lgf.exeGet hashmaliciousBrowse
                                                                                                      • 216.128.137.31
                                                                                                      QbXMqZr3bx.exeGet hashmaliciousBrowse
                                                                                                      • 216.128.137.31
                                                                                                      Whg8jgqeOs.exeGet hashmaliciousBrowse
                                                                                                      • 149.28.253.196
                                                                                                      EcobandGH9fC0as7YLE.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      FIyE6huzxV.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      V0gZWRXv8d.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      t5EuQW2GUF.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      uh1WyesPlh.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      8rryPzJR1p.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      a65FgjVus4.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      bWjYh6H8wk.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      ZJOHKItBoJ.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      eyPPiz3W6u.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      HjYSwxqyUn.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      f47YPsvRI3.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      2n64VXT08V.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      qUr4bXsweR.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      52O6evfqQT.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      ONEitXKvz6.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      1w9i8K6AzWV5RmHTSn8.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      nXOpgPAbKC.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      yezVNLNobB.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      rRX4GBcJKK.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190

                                                                                                      JA3 Fingerprints

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                      51c64c77e60f3980eea90869b68c58a8yFAXc9z51V.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      9fC0as7YLE.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      FIyE6huzxV.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      V0gZWRXv8d.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      t5EuQW2GUF.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      uh1WyesPlh.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      8rryPzJR1p.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      a65FgjVus4.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      bWjYh6H8wk.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      ZJOHKItBoJ.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      eyPPiz3W6u.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      02D6463C8D80183F843D874AB427C11FC47B6B9CE4726.exeGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      HjYSwxqyUn.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      f47YPsvRI3.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      2n64VXT08V.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      qUr4bXsweR.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      52O6evfqQT.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      ONEitXKvz6.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      1w9i8K6AzWV5RmHTSn8.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      nXOpgPAbKC.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60

                                                                                                      Dropped Files

                                                                                                      No context

                                                                                                      Created / dropped Files

                                                                                                      No created / dropped files found

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Entropy (8bit):7.178852688448735
                                                                                                      TrID:
                                                                                                      • Win32 Dynamic Link Library (generic) (1002004/3) 99.40%
                                                                                                      • Clipper DOS Executable (2020/12) 0.20%
                                                                                                      • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                                      • DOS Executable Generic (2002/1) 0.20%
                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                      File name:dUGnMYeP1C.dll
                                                                                                      File size:485376
                                                                                                      MD5:9369750d8d21d8fcb1b35365f232625f
                                                                                                      SHA1:30902a381e823450780e0efbbdc4d4130a032e20
                                                                                                      SHA256:8d91807aa27ee93694388b7cbfa9d74a3d93407036650cdd29631360b675853f
                                                                                                      SHA512:0679066f6419d764d98fef3a614b450be5d913a9888985d32d33279a422a59a32d7c6ec693d90734665024198c5c22d62ec0e85321485ddfe0dd513b3daaa2bc
                                                                                                      SSDEEP:12288:bdv8jkvzqZvv2wLBVmTi12yD88kYwZ1h1:b2Zvv2ccTi1v0Z1h
                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................................................................................................................................

                                                                                                      File Icon

                                                                                                      Icon Hash:74f0e4ecccdce0e4

                                                                                                      Static PE Info

                                                                                                      General

                                                                                                      Entrypoint:0x10015826
                                                                                                      Entrypoint Section:.text
                                                                                                      Digitally signed:false
                                                                                                      Imagebase:0x10000000
                                                                                                      Subsystem:windows gui
                                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                                      Time Stamp:0x61964C08 [Thu Nov 18 12:50:16 2021 UTC]
                                                                                                      TLS Callbacks:
                                                                                                      CLR (.Net) Version:
                                                                                                      OS Version Major:6
                                                                                                      OS Version Minor:0
                                                                                                      File Version Major:6
                                                                                                      File Version Minor:0
                                                                                                      Subsystem Version Major:6
                                                                                                      Subsystem Version Minor:0
                                                                                                      Import Hash:261bae8b02d2e7bf979e55d76b9dc786

                                                                                                      Entrypoint Preview

                                                                                                      Instruction
                                                                                                      push ebp
                                                                                                      mov ebp, esp
                                                                                                      cmp dword ptr [ebp+0Ch], 01h
                                                                                                      jne 00007F75F4BF7057h
                                                                                                      call 00007F75F4BF74AAh
                                                                                                      push dword ptr [ebp+10h]
                                                                                                      push dword ptr [ebp+0Ch]
                                                                                                      push dword ptr [ebp+08h]
                                                                                                      call 00007F75F4BF6F08h
                                                                                                      add esp, 0Ch
                                                                                                      pop ebp
                                                                                                      retn 000Ch
                                                                                                      push ebp
                                                                                                      mov ebp, esp
                                                                                                      push esi
                                                                                                      push dword ptr [ebp+08h]
                                                                                                      mov esi, ecx
                                                                                                      call 00007F75F4BE2E9Eh
                                                                                                      mov dword ptr [esi], 1003B3E8h
                                                                                                      mov eax, esi
                                                                                                      pop esi
                                                                                                      pop ebp
                                                                                                      retn 0004h
                                                                                                      and dword ptr [ecx+04h], 00000000h
                                                                                                      mov eax, ecx
                                                                                                      and dword ptr [ecx+08h], 00000000h
                                                                                                      mov dword ptr [ecx+04h], 1003B3F0h
                                                                                                      mov dword ptr [ecx], 1003B3E8h
                                                                                                      ret
                                                                                                      push ebp
                                                                                                      mov ebp, esp
                                                                                                      push esi
                                                                                                      push dword ptr [ebp+08h]
                                                                                                      mov esi, ecx
                                                                                                      call 00007F75F4BE2E6Bh
                                                                                                      mov dword ptr [esi], 1003B404h
                                                                                                      mov eax, esi
                                                                                                      pop esi
                                                                                                      pop ebp
                                                                                                      retn 0004h
                                                                                                      and dword ptr [ecx+04h], 00000000h
                                                                                                      mov eax, ecx
                                                                                                      and dword ptr [ecx+08h], 00000000h
                                                                                                      mov dword ptr [ecx+04h], 1003B40Ch
                                                                                                      mov dword ptr [ecx], 1003B404h
                                                                                                      ret
                                                                                                      push ebp
                                                                                                      mov ebp, esp
                                                                                                      push esi
                                                                                                      mov esi, ecx
                                                                                                      lea eax, dword ptr [esi+04h]
                                                                                                      mov dword ptr [esi], 1003B3DCh
                                                                                                      push eax
                                                                                                      call 00007F75F4BFA766h
                                                                                                      test byte ptr [ebp+08h], 00000001h
                                                                                                      pop ecx
                                                                                                      je 00007F75F4BF705Ch
                                                                                                      push 0000000Ch
                                                                                                      push esi
                                                                                                      call 00007F75F4BF64DDh
                                                                                                      pop ecx
                                                                                                      pop ecx
                                                                                                      mov eax, esi
                                                                                                      pop esi
                                                                                                      pop ebp
                                                                                                      retn 0004h
                                                                                                      push ebp
                                                                                                      mov ebp, esp
                                                                                                      sub esp, 0Ch
                                                                                                      lea ecx, dword ptr [ebp-0Ch]
                                                                                                      call 00007F75F4BF6FCFh
                                                                                                      push 0004CC44h

                                                                                                      Data Directories

                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x4d7100x5c0.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x4dcd00xb4.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x520000x24410.rsrc
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x770000x33a0.reloc
                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x498f80x40.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x3b0000x2f8.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                      Sections

                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                      .text0x10000x3930c0x39400False0.530729735262data6.66187646144IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                      .rdata0x3b0000x13cfe0x13e00False0.464512087264data5.41556152438IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .data0x4f0000x252c0x1800False0.223795572917data3.845062089IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                      .rsrc0x520000x244100x24600False0.818520457474data7.7494793776IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .reloc0x770000x33a00x3400False0.71484375data6.58405020621IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                      Resources

                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                      REGISTRY0x758d00x98ASCII text, with CRLF line terminatorsEnglishUnited States
                                                                                                      REGISTRY0x759680x260ASCII text, with CRLF line terminatorsEnglishUnited States
                                                                                                      TYPELIB0x75bc80x69cdataEnglishUnited States
                                                                                                      RT_BITMAP0x522200x23467dataEnglishUnited States
                                                                                                      RT_STRING0x762680x26dataEnglishUnited States
                                                                                                      RT_VERSION0x756880x244dataEnglishUnited States
                                                                                                      RT_MANIFEST0x762900x17dXML 1.0 document textEnglishUnited States

                                                                                                      Imports

                                                                                                      DLLImport
                                                                                                      pdh.dllPdhGetFormattedCounterValue, PdhCollectQueryData, PdhCloseQuery, PdhRemoveCounter, PdhAddCounterW, PdhValidatePathW, PdhOpenQueryW
                                                                                                      KERNEL32.dllGetErrorMode, GetThreadErrorMode, GetCommandLineA, GetEnvironmentStringsW, GetCurrentProcessorNumber, IsDebuggerPresent, GetTickCount64, AreFileApisANSI, GetOEMCP, GetCommandLineW, TlsAlloc, GetCurrentThreadId, GetSystemDefaultUILanguage, MultiByteToWideChar, RaiseException, GetLastError, InitializeCriticalSectionEx, DeleteCriticalSection, DecodePointer, EnterCriticalSection, LeaveCriticalSection, LoadResource, SizeofResource, FindResourceW, GetModuleHandleW, GetProcAddress, LoadLibraryExW, GetModuleFileNameW, lstrcmpiW, FreeLibrary, MulDiv, SetLastError, TerminateProcess, SetFilePointerEx, ReadConsoleW, GetConsoleMode, GetConsoleCP, WriteFile, GetCurrentThread, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, FreeEnvironmentStringsW, IsValidCodePage, FindFirstFileExA, HeapReAlloc, HeapSize, GetFileType, GetStdHandle, GetModuleFileNameA, GetModuleHandleExW, ExitProcess, InterlockedFlushSList, RtlUnwind, LocalFree, LoadLibraryExA, VirtualFree, VirtualAlloc, FlushInstructionCache, InterlockedPushEntrySList, InterlockedPopEntrySList, HeapFree, HeapAlloc, OutputDebugStringW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, TlsFree, TlsSetValue, TlsGetValue, InitializeCriticalSectionAndSpinCount, EncodePointer, GetSystemDefaultLangID, GetACP, SwitchToThread, IsProcessorFeaturePresent, UnregisterApplicationRestart, IsSystemResumeAutomatic, GetProcessHeap, CloseHandle, ReadFile, FindClose, GetUserDefaultUILanguage, FindNextFileA, SetStdHandle, WriteConsoleW, CreateFileW, GetCurrentProcess, SetUnhandledExceptionFilter, FlushFileBuffers, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentProcessId, QueryPerformanceCounter, GetStartupInfoW, UnhandledExceptionFilter
                                                                                                      USER32.dllGetMenuCheckMarkDimensions, GetForegroundWindow, AnyPopup, CloseClipboard, GetClipboardViewer, GetWindowLongW, GetKBCodePage, CallWindowProcW, DrawTextW, InsertMenuW, RegisterClassExW, LoadCursorW, GetClassInfoExW, DefWindowProcW, IsWindow, GetParent, SetTimer, ShowWindow, InvalidateRect, ReleaseDC, GetDC, EndPaint, BeginPaint, ClientToScreen, GetClientRect, SendMessageW, DestroyWindow, CreateWindowExW, SetWindowLongW, CharNextW, UnregisterClassW, DestroyCaret, EmptyClipboard, GetDialogBaseUnits, GetShellWindow, GetOpenClipboardWindow
                                                                                                      GDI32.dllSetBkMode, SetTextColor, CreateFontW, DeleteDC, BitBlt, CreateCompatibleDC, CreateCompatibleBitmap, DeleteObject, SelectObject, GetDeviceCaps, GetTextMetricsW
                                                                                                      ADVAPI32.dllRegDeleteValueW, RegQueryInfoKeyW, RegSetValueExW, RegEnumKeyExW, RegCloseKey, RegDeleteKeyW, RegCreateKeyExW, RegOpenKeyExW
                                                                                                      SHELL32.dllShellExecuteW, SHGetFolderPathW
                                                                                                      ole32.dllCoFreeUnusedLibraries, CoUninitialize, CoCreateInstance, CoInitialize, OleRun, CoTaskMemAlloc, CoTaskMemRealloc, CoTaskMemFree
                                                                                                      OLEAUT32.dllLoadRegTypeLib, SysAllocStringLen, SysFreeString, SysAllocString, SysStringLen, VarBstrCmp, VariantInit, VariantClear, VariantCopy, VariantChangeType, VarUI4FromStr, LoadTypeLib

                                                                                                      Exports

                                                                                                      NameOrdinalAddress
                                                                                                      Control_RunDLL10x10001200
                                                                                                      abziuleoxsborpb20x10001570
                                                                                                      aejkroaebsbxdnkhb30x10001430
                                                                                                      amgshvm40x10001340
                                                                                                      bjtmgxqrshhlmbh50x10001320
                                                                                                      ciqnowraabbra60x100013e0
                                                                                                      cmiqzvq70x10001450
                                                                                                      crprctzst80x10001360
                                                                                                      cwiynhgawsfh90x100012f0
                                                                                                      dhfyfrdbpo100x100012c0
                                                                                                      dvmyigplnf110x10001480
                                                                                                      erlpzdqhrlacaxnda120x10001440
                                                                                                      euduauchas130x100014b0
                                                                                                      fjorczheej140x10001390
                                                                                                      fqtruzg150x100014c0
                                                                                                      fzxvmnutn160x100014d0
                                                                                                      ghrfpkc170x10001280
                                                                                                      ghrmmrvezk180x10001530
                                                                                                      hjbgnfzrilso190x100015d0
                                                                                                      hvbblczdjkdx200x10001310
                                                                                                      ifsmmtyjag210x10001310
                                                                                                      jbgiwxjtyvvaxuitk220x10001410
                                                                                                      jhjtpuvq230x10001260
                                                                                                      jovvzziqyeznb240x100015a0
                                                                                                      kbkufclc250x100014e0
                                                                                                      kxpdpqduritjwfv260x10001560
                                                                                                      lfirwsslmgzmfg270x10001330
                                                                                                      mdaepyqwwigtzy280x10001500
                                                                                                      meqzizr290x10001350
                                                                                                      mmykgdmikdunzlhbb300x10001520
                                                                                                      mxqliouinhlsqvw310x100013b0
                                                                                                      mzxbssgzqetjmifs320x10001490
                                                                                                      ndzjkcaftnq330x10001510
                                                                                                      nfwlevhbaunupm340x100013c0
                                                                                                      njhdfbkyxqtwtcvsa350x10001300
                                                                                                      nmzgdiluzbemovs360x10001400
                                                                                                      obsypougzzamg370x100013d0
                                                                                                      oqzjqpsxbjh380x100012d0
                                                                                                      ormmaboaiinycs390x10001230
                                                                                                      pejacnmfhwmlhqc400x10001340
                                                                                                      pzgjkxaqryk410x100015b0
                                                                                                      qlsxhmuh420x10001240
                                                                                                      rykrtqanuszehh430x10001550
                                                                                                      sktlwejyhkbweva440x100014a0
                                                                                                      sromrbjt450x10001460
                                                                                                      txrogplicljtdlky460x100012e0
                                                                                                      tywxzfemhfuvwwqtq470x10001270
                                                                                                      ukeirvjwemstdk480x10001250
                                                                                                      usfroye490x10001370
                                                                                                      varapmou500x100013a0
                                                                                                      vjfbgya510x100015c0
                                                                                                      vpzxnmg520x10001590
                                                                                                      wniijfgeibtaumvma530x100014f0
                                                                                                      wtkpnwha540x10001470
                                                                                                      xkdmdojzjns550x10001420
                                                                                                      yumftkya560x100012a0
                                                                                                      ywkvngmohrw570x10001380
                                                                                                      ywwwgcpzcec580x10001580
                                                                                                      yyldomdvsymz590x10001290
                                                                                                      zdcdzgtngf600x100012b0
                                                                                                      zwxnlwalmcbgmt610x100013f0
                                                                                                      zzvywuxdvuecsm620x10001540

                                                                                                      Version Infos

                                                                                                      DescriptionData
                                                                                                      InternalNameErulfuaekg.dll
                                                                                                      FileVersion3.3.7.9
                                                                                                      ProductNameErulfuaekg
                                                                                                      ProductVersion3.3.7.9
                                                                                                      FileDescriptionasdzxcqwe123
                                                                                                      OriginalFilenameErulfuaekg.dll
                                                                                                      Translation0x0408 0x04e4

                                                                                                      Possible Origin

                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                      EnglishUnited States

                                                                                                      Network Behavior

                                                                                                      Snort IDS Alerts

                                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                      11/19/21-01:00:39.596565TCP2404334ET CNC Feodo Tracker Reported CnC Server TCP group 1849763443192.168.2.451.178.61.60

                                                                                                      Network Port Distribution

                                                                                                      TCP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Nov 19, 2021 01:00:39.596565008 CET49763443192.168.2.451.178.61.60
                                                                                                      Nov 19, 2021 01:00:39.596628904 CET4434976351.178.61.60192.168.2.4
                                                                                                      Nov 19, 2021 01:00:39.596800089 CET49763443192.168.2.451.178.61.60
                                                                                                      Nov 19, 2021 01:00:39.680131912 CET49763443192.168.2.451.178.61.60
                                                                                                      Nov 19, 2021 01:00:39.680176020 CET4434976351.178.61.60192.168.2.4
                                                                                                      Nov 19, 2021 01:00:39.796260118 CET4434976351.178.61.60192.168.2.4
                                                                                                      Nov 19, 2021 01:00:39.796437025 CET49763443192.168.2.451.178.61.60
                                                                                                      Nov 19, 2021 01:00:41.647006989 CET49763443192.168.2.451.178.61.60
                                                                                                      Nov 19, 2021 01:00:41.647049904 CET4434976351.178.61.60192.168.2.4
                                                                                                      Nov 19, 2021 01:00:41.647433996 CET4434976351.178.61.60192.168.2.4
                                                                                                      Nov 19, 2021 01:00:41.647514105 CET49763443192.168.2.451.178.61.60
                                                                                                      Nov 19, 2021 01:00:41.656450987 CET49763443192.168.2.451.178.61.60
                                                                                                      Nov 19, 2021 01:00:41.700871944 CET4434976351.178.61.60192.168.2.4
                                                                                                      Nov 19, 2021 01:00:41.896475077 CET4434976351.178.61.60192.168.2.4
                                                                                                      Nov 19, 2021 01:00:41.896555901 CET4434976351.178.61.60192.168.2.4
                                                                                                      Nov 19, 2021 01:00:41.896692038 CET49763443192.168.2.451.178.61.60
                                                                                                      Nov 19, 2021 01:00:41.896724939 CET49763443192.168.2.451.178.61.60
                                                                                                      Nov 19, 2021 01:00:41.901420116 CET49763443192.168.2.451.178.61.60
                                                                                                      Nov 19, 2021 01:00:41.901465893 CET4434976351.178.61.60192.168.2.4

                                                                                                      HTTP Request Dependency Graph

                                                                                                      • 51.178.61.60

                                                                                                      HTTPS Proxied Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                      0192.168.2.44976351.178.61.60443C:\Windows\SysWOW64\rundll32.exe
                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                      2021-11-19 00:00:41 UTC0OUTGET /InTtBbcviygntftqUxlvTZyNQIlFMYYuphsKApKnjhvMfoEmipIwgU HTTP/1.1
                                                                                                      Cookie: sbhozJBLsB=GBk0p7+mkeI5rWSXKi9+NkbuDAN7QDaXmyUi/sYe1oQpQspAP+UN+UaybMShDVRbP1B8IvhSKCUHJAYRRtEALN4oFplmYFQ82ingNRD/p7AiYoN6Z4om86TaWhNhyc2E6tH4MfN2LDyXUVu/1idF9te74dCx3ont9eszJJ5RNWPaX46p7K8F+cIzpv+J5OvQCSgHYYgi5GVms5sQuAEbCJ7NsR2cjbUSKQAbd9tLgWFOMQ==
                                                                                                      Host: 51.178.61.60
                                                                                                      Connection: Keep-Alive
                                                                                                      Cache-Control: no-cache
                                                                                                      2021-11-19 00:00:41 UTC0INHTTP/1.1 200 OK
                                                                                                      Server: nginx
                                                                                                      Date: Fri, 19 Nov 2021 00:00:41 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      2021-11-19 00:00:41 UTC0INData Raw: 32 35 35 0d 0a 4e 1b c8 28 c9 2f ca fe 81 e1 e7 85 05 ea 26 52 12 06 32 54 2c 56 77 39 63 ce 15 af d0 39 cc d7 cc 85 ae 1e 08 d9 72 5f 85 69 10 6c 66 2b 92 2b 32 f5 79 b6 a6 46 a3 ad 77 68 dc 1f d1 66 f8 5d 46 fb 77 cf 7d a6 4f 82 8f 73 df 95 14 02 ec a9 4a 3e 8d d3 13 ac d1 48 b2 2a 94 a8 25 3e 94 d1 93 29 fa a1 e4 3f 00 ab a7 96 90 32 cc aa a8 ba 5f 24 95 44 8d 29 6e c5 4b 1e d5 84 c3 aa 0a 87 02 ce 95 d9 97 79 c3 b8 85 ea 72 9f dd 80 b8 a5 9c 2b 94 e3 78 47 52 7b 08 23 d9 59 77 3c 76 41 62 84 82 43 a6 c6 e7 b5 7d 78 86 70 86 ca 74 24 0f a5 34 d5 8a b9 d9 c7 62 df 89 dd b6 82 a7 d7 c3 29 7c 50 e0 fa 23 f2 75 8a d6 ab ef bc 4d 73 d4 e5 0b 63 53 bb 3e 57 ed 4f 9d c5 60 b2 1a 5f c3 f2 46 b6 5b 7f e4 41 c5 b5 03 ce 46 a8 3a b8 f5 0f e4 ed cc 14 93 af f9 21
                                                                                                      Data Ascii: 255N(/&R2T,Vw9c9r_ilf++2yFwhf]Fw}OsJ>H*%>)?2_$D)nKyr+xGR{#Yw<vAbC}xpt$4b)|P#uMscS>WO`_F[AF:!


                                                                                                      Code Manipulations

                                                                                                      Statistics

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      General

                                                                                                      Start time:00:59:17
                                                                                                      Start date:19/11/2021
                                                                                                      Path:C:\Windows\System32\loaddll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:loaddll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll"
                                                                                                      Imagebase:0xd20000
                                                                                                      File size:893440 bytes
                                                                                                      MD5 hash:72FCD8FB0ADC38ED9050569AD673650E
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.765628478.000000000166D000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                      Reputation:high

                                                                                                      General

                                                                                                      Start time:00:59:18
                                                                                                      Start date:19/11/2021
                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",#1
                                                                                                      Imagebase:0x11d0000
                                                                                                      File size:232960 bytes
                                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      General

                                                                                                      Start time:00:59:18
                                                                                                      Start date:19/11/2021
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,Control_RunDLL
                                                                                                      Imagebase:0x1060000
                                                                                                      File size:61952 bytes
                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.728810783.0000000003565000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                      Reputation:high

                                                                                                      General

                                                                                                      Start time:00:59:18
                                                                                                      Start date:19/11/2021
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",#1
                                                                                                      Imagebase:0x1060000
                                                                                                      File size:61952 bytes
                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.726530504.00000000009CA000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                      Reputation:high

                                                                                                      General

                                                                                                      Start time:00:59:22
                                                                                                      Start date:19/11/2021
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,abziuleoxsborpb
                                                                                                      Imagebase:0x1060000
                                                                                                      File size:61952 bytes
                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.753626316.000000000079A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                      Reputation:high

                                                                                                      General

                                                                                                      Start time:00:59:26
                                                                                                      Start date:19/11/2021
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,aejkroaebsbxdnkhb
                                                                                                      Imagebase:0x1060000
                                                                                                      File size:61952 bytes
                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.765555837.000000000089A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                      Reputation:high

                                                                                                      General

                                                                                                      Start time:00:59:45
                                                                                                      Start date:19/11/2021
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL
                                                                                                      Imagebase:0x1060000
                                                                                                      File size:61952 bytes
                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      General

                                                                                                      Start time:00:59:46
                                                                                                      Start date:19/11/2021
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Syakyqcviop\airusfmukngvit.rau",grPefdKmoEDD
                                                                                                      Imagebase:0x1060000
                                                                                                      File size:61952 bytes
                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.777849090.000000000324A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                      Reputation:high

                                                                                                      General

                                                                                                      Start time:00:59:53
                                                                                                      Start date:19/11/2021
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL
                                                                                                      Imagebase:0x1060000
                                                                                                      File size:61952 bytes
                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      General

                                                                                                      Start time:01:00:04
                                                                                                      Start date:19/11/2021
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL
                                                                                                      Imagebase:0x1060000
                                                                                                      File size:61952 bytes
                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      General

                                                                                                      Start time:01:00:04
                                                                                                      Start date:19/11/2021
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL
                                                                                                      Imagebase:0x1060000
                                                                                                      File size:61952 bytes
                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      General

                                                                                                      Start time:01:00:13
                                                                                                      Start date:19/11/2021
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Syakyqcviop\airusfmukngvit.rau",Control_RunDLL
                                                                                                      Imagebase:0x1060000
                                                                                                      File size:61952 bytes
                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.1180916673.00000000035CA000.00000004.00000020.sdmp, Author: Joe Security

                                                                                                      General

                                                                                                      Start time:01:00:33
                                                                                                      Start date:19/11/2021
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                      Imagebase:0x7ff6eb840000
                                                                                                      File size:51288 bytes
                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      General

                                                                                                      Start time:01:01:06
                                                                                                      Start date:19/11/2021
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                      Imagebase:0x7ff6eb840000
                                                                                                      File size:51288 bytes
                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      General

                                                                                                      Start time:01:01:23
                                                                                                      Start date:19/11/2021
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                      Imagebase:0x7ff6eb840000
                                                                                                      File size:51288 bytes
                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      General

                                                                                                      Start time:01:01:35
                                                                                                      Start date:19/11/2021
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                      Imagebase:0x7ff6eb840000
                                                                                                      File size:51288 bytes
                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Disassembly

                                                                                                      Code Analysis

                                                                                                      Reset < >