Loading ...

Play interactive tourEdit tour

Windows Analysis Report wNjqkrm8pH

Overview

General Information

Sample Name:wNjqkrm8pH (renamed file extension from none to dll)
Analysis ID:524862
MD5:699b39c805f6a366707eb9a0e580bc0d
SHA1:04489a4c9d50b62a9ff16f5baa67f568b2eb46ed
SHA256:142d330305cf2bba895b000b9c7c2da6c6b38cb728d3fb347da8dd9f0bed4845
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6164 cmdline: loaddll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 2804 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5940 cmdline: rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 2944 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6280 cmdline: rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 672 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hsngzdtsiohsyp\jlodhhplzusb.iie",cwqsUWjgRvl MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6388 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Hsngzdtsiohsyp\jlodhhplzusb.iie",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6416 cmdline: rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,abziuleoxsborpb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 6828 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6420 cmdline: rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,aejkroaebsbxdnkhb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 1304 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6848 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 5932 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5416 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2276 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2236 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.352402052.000000000344A000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000000.00000002.415487729.000000000117D000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000005.00000002.413760673.0000000000D1A000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000007.00000002.426884632.000000000328A000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000004.00000002.415304095.00000000032EA000.00000004.00000020.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.rundll32.exe.3304250.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              5.2.rundll32.exe.d341f8.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                3.2.rundll32.exe.3464320.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  5.2.rundll32.exe.d341f8.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    7.2.rundll32.exe.32a6388.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 5 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Emotet RunDLL32 Process CreationShow sources
                      Source: Process startedAuthor: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",#1, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 5940, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL, ProcessId: 2944

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 2.2.rundll32.exe.e45298.1.raw.unpackMalware Configuration Extractor: Emotet {"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: wNjqkrm8pH.dllVirustotal: Detection: 24%Perma Link
                      Source: wNjqkrm8pH.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.3:49747 version: TLS 1.2
                      Source: wNjqkrm8pH.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9DD1EE FindFirstFileExA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9DD1EE FindFirstFileExA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EB1A80 FindFirstFileW,

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.3:49747 -> 51.178.61.60:443
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 51.178.61.60 187
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 51.178.61.60:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 45.79.33.48:8080
                      Source: Malware configuration extractorIPs: 196.44.98.190:8080
                      Source: Malware configuration extractorIPs: 177.72.80.14:7080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.169.10:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: EcobandGH EcobandGH
                      Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: GET /BJKdnuOnKNLLGEDBpJpeXPiWYvJQgGvoYhhdIpnN HTTP/1.1Cookie: kpcXAWpZfRkJEAy=i+5bJ+1ZInDjvfPM+1JhKt+KWj8rVMERTO3MBxIOillAvxAx2ioHmQPbtLgNLA6EGFRwLshnv6kCnZWyIXAgbMZzd1u5zeY7pIcnc7NYlk4ptgX0JiJVkIXW1dfaYySomVYPcSiwpIcomQgIb/a5XevS7QE2etUd+zxfOWZFj62QjzAO7FAj4VKuBSkPo+IBUjmiQKTNcL09qokscyBsIQcAMaCCPfrdl8uN2W5z+g+7Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 196.44.98.190 196.44.98.190
                      Source: Joe Sandbox ViewIP Address: 78.46.73.125 78.46.73.125
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: svchost.exe, 00000019.00000003.612262816.0000025AA9597000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z||.||2bbf585d-742f-4e5f-bf99-34064e28fbbf||1152921505694183347||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 00000019.00000003.612262816.0000025AA9597000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z||.||2bbf585d-742f-4e5f-bf99-34064e28fbbf||1152921505694183347||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 00000019.00000002.631623148.0000025AA8CEB000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000019.00000002.631623148.0000025AA8CEB000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 00000019.00000002.631915215.0000025AA9572000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606542705.0000025AA959A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606523146.0000025AA958A000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 00000019.00000002.631915215.0000025AA9572000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606542705.0000025AA959A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606523146.0000025AA958A000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000019.00000002.631915215.0000025AA9572000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606542705.0000025AA959A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606523146.0000025AA958A000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000019.00000002.631915215.0000025AA9572000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606542705.0000025AA959A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606523146.0000025AA958A000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000019.00000003.607542266.0000025AA9575000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.607594577.0000025AA9599000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EC1027 InternetReadFile,
                      Source: global trafficHTTP traffic detected: GET /BJKdnuOnKNLLGEDBpJpeXPiWYvJQgGvoYhhdIpnN HTTP/1.1Cookie: kpcXAWpZfRkJEAy=i+5bJ+1ZInDjvfPM+1JhKt+KWj8rVMERTO3MBxIOillAvxAx2ioHmQPbtLgNLA6EGFRwLshnv6kCnZWyIXAgbMZzd1u5zeY7pIcnc7NYlk4ptgX0JiJVkIXW1dfaYySomVYPcSiwpIcomQgIb/a5XevS7QE2etUd+zxfOWZFj62QjzAO7FAj4VKuBSkPo+IBUjmiQKTNcL09qokscyBsIQcAMaCCPfrdl8uN2W5z+g+7Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.3:49747 version: TLS 1.2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9B5EE0 GetClipboardViewer,GetClipboardViewer,GetSystemDefaultLangID,GetOpenClipboardWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetCurrentThread,GetForegroundWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,AnyPopup,GetUserDefaultUILanguage,GetUserDefaultUILanguage,GetCurrentThread,GetCurrentThread,GetErrorMode,GetErrorMode,GetThreadErrorMode,

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 4.2.rundll32.exe.3304250.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.d341f8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3464320.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.d341f8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.32a6388.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.e45298.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.3304250.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3464320.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.32a6388.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.e45298.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.352402052.000000000344A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.415487729.000000000117D000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.413760673.0000000000D1A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.426884632.000000000328A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.415304095.00000000032EA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.816631755.0000000000C67000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.352283785.0000000000E2A000.00000004.00000020.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: wNjqkrm8pH.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Hsngzdtsiohsyp\jlodhhplzusb.iie:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Hsngzdtsiohsyp\Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010543B3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104441E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105CAA8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01043502
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01042309
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105FD10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104251C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01046B25
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01045923
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0106292B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01060B34
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01043345
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01061343
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105F14D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01043F5C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104C158
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01051F6B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105056A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105577E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01049384
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01054D8D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01044F8E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104758F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105B397
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104FD91
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01061193
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105D99A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01059DA1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01052FA2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01054BAA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105B1B5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104BFB6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01057BB2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01046FC4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010625C3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104A3DF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105BFE8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010603F1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104C5FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01044C00
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01048C09
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01041A0A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104220A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01051C10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104E21C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104F41F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104EC27
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01055220
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01049E22
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104D223
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105F83F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01061A3C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01043845
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01042A46
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105E441
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01042043
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104A048
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01042654
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01049A57
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105406E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01041C76
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01060687
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01047283
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104CC8D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01054E8A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105748A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104AC95
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105D091
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01043C91
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105AC9B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010578A5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105D6A7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104FEA0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010544AA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01045AB2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010598BD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010590BA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105BEC9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105CCD4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01057ED1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010608D1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01050ADE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105ECE3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105AEEB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105DEF4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010430F6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9B6620
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9B5730
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9DC6FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9B5EE0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9CA60F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9CAE3B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9D3780
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9BF700
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9C1CD0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9CDC5D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9C7C47
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9CA29D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9B2A80
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9CDA2D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9CAB80
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9CA8B9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9E3074
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9CA1F0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9E1929
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D108D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D090BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF2A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF3845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF2043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF4C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CFF41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0D99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF9384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D07BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D07ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D00ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0A8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF30F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CFCC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF7283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D10687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D04E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CFAC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF3C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CFDAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D098BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CFFEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D078A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D044AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF5AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CFA048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF9A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF2654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF1C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D01C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF1A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF8C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CFE21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CFEC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CFD223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF9E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D11A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D05220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF6FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CFA3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D125C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D103F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF55E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CFC5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0BFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF4F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D11193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0B397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D04D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CFFD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D043B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0B1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D09DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D02FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CFBFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D04BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF3345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D11343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF3F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CFC158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0F14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D01F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0FD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF2309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF3502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D10B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF6B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF5923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D1292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9B6620
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9B5730
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9DC6FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9B5EE0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9D3780
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9BF700
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9C1CD0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9CDC5D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9C7C47
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9CA29D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9B2A80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9CDA2D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9E3074
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9E1929
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032443B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03235923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03236B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0325292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03250B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03233502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03232309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324FD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03241F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03233345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03251343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324F14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323C158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03233F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03249DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03242FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03244BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324B1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323BFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03247BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03239384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03244D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03234F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323FD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324B397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03251193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324D99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324BFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032503F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323C5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032525C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03236FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323A3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323D223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03239E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03245220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03251A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03234C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03231A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03238C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03241C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323F41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323E21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03231C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03232043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03232A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03233845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323A048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03239A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03232654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032478A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032444AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03235AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032498BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032490BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03237283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03250687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03244E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03233C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0323AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032330F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032508D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03247ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03240ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B3CAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B2441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B343B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B25AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B390BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B398BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B2FEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B3D6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B378A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B344AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B3D091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B23C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B2AC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B3AC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B27283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B40687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B34E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B3748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B2CC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B230F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B3DEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B3ECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B3AEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B37ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B408D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B3CCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B30ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B3BEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B41A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B3F83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B29E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B2D223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B35220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B2EC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B31C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B2F41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B2E21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B24C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B21A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B2220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B28C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B21C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B3406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B29A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B22654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B22043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B3E441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B22A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B23845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B2A048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B37BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B2BFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B3B1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B32FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B39DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B34BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B2FD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B3B397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B41193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B3D99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B29384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B24F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B2758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B34D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B403F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B2C5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B3BFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B2A3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B26FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B425C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B40B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B25923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B26B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B4292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B3FD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B2251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B23502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B22309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B3577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B31F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B3056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B2C158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B23F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B23345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B41343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B3F14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EBECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EA30F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EBDEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EB7ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EC08D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EB44AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EB78A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EA5AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EB748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EAAC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EA2043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EA3845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EB5220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EAEC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EBF83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EA220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EA441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EA55E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EAC5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EB4BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EB2FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EA758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EA9384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EC0B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EBAEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EBA8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EBBEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EB0ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EBCCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EBCAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EADAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EAFEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EBD6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EB90BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EB98BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EB4E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EACC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EA7283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EC0687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EBAC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EBD091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EA3C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EB406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EA1C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EAA048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EBE441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EA2A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EA9A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EA2654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EA9E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EAD223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EC1A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EA1A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EA8C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EA4C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EAF41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EAE21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EB1C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EBBFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EC03F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EA6FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EC25C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EAA3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EB9DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EB43B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EB7BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EABFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EBB1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EA4F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EB4D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EBD99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EAFD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EBB397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EC1193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EB1F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EB056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EB577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EBF14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EA3345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EC1343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EAC158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EA3F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EC292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EA5923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EA6B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EA2309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EA3502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EA251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EBFD10
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E9C5BE0 appears 46 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E9C5BE0 appears 46 times
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9B13F0 zwxnlwalmcbgmt,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9B13F0 zwxnlwalmcbgmt,
                      Source: wNjqkrm8pH.dllBinary or memory string: OriginalFilenameErulfuaekg.dll6 vs wNjqkrm8pH.dll
                      Source: wNjqkrm8pH.dllVirustotal: Detection: 24%
                      Source: wNjqkrm8pH.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,Control_RunDLL
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,abziuleoxsborpb
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,aejkroaebsbxdnkhb
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hsngzdtsiohsyp\jlodhhplzusb.iie",cwqsUWjgRvl
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Hsngzdtsiohsyp\jlodhhplzusb.iie",Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,Control_RunDLL
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,abziuleoxsborpb
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,aejkroaebsbxdnkhb
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hsngzdtsiohsyp\jlodhhplzusb.iie",cwqsUWjgRvl
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Hsngzdtsiohsyp\jlodhhplzusb.iie",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                      Source: classification engineClassification label: mal100.troj.evad.winDLL@27/0@0/21
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9C3C90 CoCreateInstance,
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EB1B54 CreateToolhelp32Snapshot,
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,Control_RunDLL
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9BEBD0 LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: wNjqkrm8pH.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: wNjqkrm8pH.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: wNjqkrm8pH.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: wNjqkrm8pH.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: wNjqkrm8pH.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: wNjqkrm8pH.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01041229 push eax; retf
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9C5C26 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9E8067 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00CF1229 push eax; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9C5C26 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9E8067 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03231229 push eax; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B21229 push eax; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EA1229 push eax; retf
                      Source: wNjqkrm8pH.dllStatic PE information: real checksum: 0x81586 should be: 0x815b6
                      Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Hsngzdtsiohsyp\jlodhhplzusb.iieJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Hsngzdtsiohsyp\jlodhhplzusb.iie:Zone.Identifier read attributes | delete
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9C7C47 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Tries to detect virtualization through RDTSC time measurementsShow sources
                      Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 000000006E9B6672 second address: 000000006E9B66A0 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FF1C9086B21h 0x0000000a mov edi, 0C2869DAh 0x0000000f rdtscp
                      Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 000000006E9B8A23 second address: 000000006E9B8A36 instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FF1C90F2E9Eh 0x00000007 rdtscp
                      Source: C:\Windows\System32\loaddll32.exeRDTSC instruction interceptor: First address: 000000006E9B6672 second address: 000000006E9B66A0 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FF1C9086B21h 0x0000000a mov edi, 0C2869DAh 0x0000000f rdtscp
                      Source: C:\Windows\System32\loaddll32.exeRDTSC instruction interceptor: First address: 000000006E9B8A23 second address: 000000006E9B8A36 instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FF1C90F2E9Eh 0x00000007 rdtscp
                      Source: C:\Windows\System32\svchost.exe TID: 6596Thread sleep time: -180000s >= -30000s
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9B6620 rdtscp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9DD1EE FindFirstFileExA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9DD1EE FindFirstFileExA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EB1A80 FindFirstFileW,
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: svchost.exe, 00000019.00000002.631623148.0000025AA8CEB000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 00000019.00000002.631552535.0000025AA8C81000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9CED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9C849D IsProcessorFeaturePresent,GetProcessHeap,HeapAlloc,InitializeSListHead,GetProcessHeap,HeapFree,
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9B6620 rdtscp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0105DE10 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9B6620 mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9C849D mov esi, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9B6510 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9B8A50 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9D69AA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00D0DE10 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9B6620 mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9C849D mov esi, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9B6510 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9B8A50 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9D69AA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0324DE10 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B3DE10 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00EBDE10 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9CED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9C5ABD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9C5239 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9CED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9C5ABD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E9C5239 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 51.178.61.60 187
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",#1
                      Source: rundll32.exe, 0000000E.00000002.817509980.0000000003370000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: rundll32.exe, 0000000E.00000002.817509980.0000000003370000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: rundll32.exe, 0000000E.00000002.817509980.0000000003370000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: rundll32.exe, 0000000E.00000002.817509980.0000000003370000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\loaddll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9C5916 cpuid
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9C5C3C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 4.2.rundll32.exe.3304250.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.d341f8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3464320.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.d341f8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.32a6388.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.e45298.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.3304250.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3464320.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.32a6388.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.e45298.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.352402052.000000000344A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.415487729.000000000117D000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.413760673.0000000000D1A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.426884632.000000000328A000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.415304095.00000000032EA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.816631755.0000000000C67000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.352283785.0000000000E2A000.00000004.00000020.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management InstrumentationApplication Shimming1Process Injection112Masquerading2OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsApplication Shimming1Virtualization/Sandbox Evasion1LSASS MemorySecurity Software Discovery131Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection112Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsRundll321DCSyncSystem Information Discovery134Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 524862 Sample: wNjqkrm8pH Startdate: 19/11/2021 Architecture: WINDOWS Score: 100 42 85.214.67.203 STRATOSTRATOAGDE Germany 2->42 44 195.154.146.35 OnlineSASFR France 2->44 46 17 other IPs or domains 2->46 52 Sigma detected: Emotet RunDLL32 Process Creation 2->52 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Found malware configuration 2->56 58 3 other signatures 2->58 9 loaddll32.exe 1 2->9         started        12 svchost.exe 1 2->12         started        15 svchost.exe 1 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 66 Tries to detect virtualization through RDTSC time measurements 9->66 19 rundll32.exe 2 9->19         started        22 cmd.exe 1 9->22         started        24 rundll32.exe 9->24         started        26 2 other processes 9->26 50 192.168.2.1 unknown unknown 12->50 signatures6 process7 signatures8 60 Tries to detect virtualization through RDTSC time measurements 19->60 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->62 28 rundll32.exe 19->28         started        30 rundll32.exe 22->30         started        32 rundll32.exe 24->32         started        34 rundll32.exe 26->34         started        process9 process10 36 rundll32.exe 28->36         started        40 rundll32.exe 30->40         started        dnsIp11 48 51.178.61.60, 443, 49747 OVHFR France 36->48 64 System process connects to network (likely due to code injection or exploit) 36->64 signatures12

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      wNjqkrm8pH.dll24%VirustotalBrowse

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      0.2.loaddll32.exe.1040000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      2.2.rundll32.exe.cf0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      5.2.rundll32.exe.b20000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      14.2.rundll32.exe.ea0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      2.2.rundll32.exe.e45298.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      7.2.rundll32.exe.3230000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      4.2.rundll32.exe.1030000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      3.2.rundll32.exe.3230000.0.unpack100%AviraHEUR/AGEN.1110387Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      http://crl.ver)0%Avira URL Cloudsafe
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      http://help.disneyplus.com.0%URL Reputationsafe
                      https://disneyplus.com/legal.0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 00000019.00000002.631915215.0000025AA9572000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606542705.0000025AA959A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606523146.0000025AA958A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://crl.ver)svchost.exe, 00000019.00000002.631623148.0000025AA8CEB000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      low
                      https://www.disneyplus.com/legal/privacy-policysvchost.exe, 00000019.00000002.631915215.0000025AA9572000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606542705.0000025AA959A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606523146.0000025AA958A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://www.tiktok.com/legal/report/feedbacksvchost.exe, 00000019.00000003.607542266.0000025AA9575000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.607594577.0000025AA9599000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://help.disneyplus.com.svchost.exe, 00000019.00000002.631915215.0000025AA9572000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606542705.0000025AA959A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606523146.0000025AA958A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://disneyplus.com/legal.svchost.exe, 00000019.00000002.631915215.0000025AA9572000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606542705.0000025AA959A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606523146.0000025AA958A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown

                      Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public

                      IPDomainCountryFlagASNASN NameMalicious
                      207.148.81.119
                      unknownUnited States
                      20473AS-CHOOPAUStrue
                      196.44.98.190
                      unknownGhana
                      327814EcobandGHtrue
                      78.46.73.125
                      unknownGermany
                      24940HETZNER-ASDEtrue
                      37.59.209.141
                      unknownFrance
                      16276OVHFRtrue
                      85.214.67.203
                      unknownGermany
                      6724STRATOSTRATOAGDEtrue
                      191.252.103.16
                      unknownBrazil
                      27715LocawebServicosdeInternetSABRtrue
                      45.79.33.48
                      unknownUnited States
                      63949LINODE-APLinodeLLCUStrue
                      54.37.228.122
                      unknownFrance
                      16276OVHFRtrue
                      185.148.169.10
                      unknownGermany
                      44780EVERSCALE-ASDEtrue
                      142.4.219.173
                      unknownCanada
                      16276OVHFRtrue
                      54.38.242.185
                      unknownFrance
                      16276OVHFRtrue
                      195.154.146.35
                      unknownFrance
                      12876OnlineSASFRtrue
                      195.77.239.39
                      unknownSpain
                      60493FICOSA-ASEStrue
                      78.47.204.80
                      unknownGermany
                      24940HETZNER-ASDEtrue
                      168.197.250.14
                      unknownArgentina
                      264776OmarAnselmoRipollTDCNETARtrue
                      51.178.61.60
                      unknownFrance
                      16276OVHFRtrue
                      177.72.80.14
                      unknownBrazil
                      262543NewLifeFibraBRtrue
                      66.42.57.149
                      unknownUnited States
                      20473AS-CHOOPAUStrue
                      37.44.244.177
                      unknownGermany
                      47583AS-HOSTINGERLTtrue
                      51.210.242.234
                      unknownFrance
                      16276OVHFRtrue

                      Private

                      IP
                      192.168.2.1

                      General Information

                      Joe Sandbox Version:34.0.0 Boulder Opal
                      Analysis ID:524862
                      Start date:19.11.2021
                      Start time:01:03:13
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 12m 34s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Sample file name:wNjqkrm8pH (renamed file extension from none to dll)
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:27
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.troj.evad.winDLL@27/0@0/21
                      EGA Information:Failed
                      HDC Information:
                      • Successful, ratio: 17.6% (good quality ratio 16%)
                      • Quality average: 69.9%
                      • Quality standard deviation: 29.6%
                      HCA Information:
                      • Successful, ratio: 86%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Override analysis time to 240s for rundll32
                      Warnings:
                      Show All
                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, wuapihost.exe
                      • Excluded IPs from analysis (whitelisted): 20.54.110.249, 40.91.112.76
                      • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      01:06:37API Interceptor8x Sleep call for process: svchost.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      207.148.81.1195YO8hZg21O.dllGet hashmaliciousBrowse
                        dUGnMYeP1C.dllGet hashmaliciousBrowse
                          yFAXc9z51V.dllGet hashmaliciousBrowse
                            9fC0as7YLE.dllGet hashmaliciousBrowse
                              FIyE6huzxV.dllGet hashmaliciousBrowse
                                V0gZWRXv8d.dllGet hashmaliciousBrowse
                                  t5EuQW2GUF.dllGet hashmaliciousBrowse
                                    uh1WyesPlh.dllGet hashmaliciousBrowse
                                      8rryPzJR1p.dllGet hashmaliciousBrowse
                                        a65FgjVus4.dllGet hashmaliciousBrowse
                                          bWjYh6H8wk.dllGet hashmaliciousBrowse
                                            ZJOHKItBoJ.dllGet hashmaliciousBrowse
                                              eyPPiz3W6u.dllGet hashmaliciousBrowse
                                                HjYSwxqyUn.dllGet hashmaliciousBrowse
                                                  f47YPsvRI3.dllGet hashmaliciousBrowse
                                                    2n64VXT08V.dllGet hashmaliciousBrowse
                                                      qUr4bXsweR.dllGet hashmaliciousBrowse
                                                        52O6evfqQT.dllGet hashmaliciousBrowse
                                                          ONEitXKvz6.dllGet hashmaliciousBrowse
                                                            1w9i8K6AzWV5RmHTSn8.dllGet hashmaliciousBrowse
                                                              196.44.98.1905YO8hZg21O.dllGet hashmaliciousBrowse
                                                                dUGnMYeP1C.dllGet hashmaliciousBrowse
                                                                  yFAXc9z51V.dllGet hashmaliciousBrowse
                                                                    9fC0as7YLE.dllGet hashmaliciousBrowse
                                                                      FIyE6huzxV.dllGet hashmaliciousBrowse
                                                                        V0gZWRXv8d.dllGet hashmaliciousBrowse
                                                                          t5EuQW2GUF.dllGet hashmaliciousBrowse
                                                                            uh1WyesPlh.dllGet hashmaliciousBrowse
                                                                              8rryPzJR1p.dllGet hashmaliciousBrowse
                                                                                a65FgjVus4.dllGet hashmaliciousBrowse
                                                                                  bWjYh6H8wk.dllGet hashmaliciousBrowse
                                                                                    ZJOHKItBoJ.dllGet hashmaliciousBrowse
                                                                                      eyPPiz3W6u.dllGet hashmaliciousBrowse
                                                                                        HjYSwxqyUn.dllGet hashmaliciousBrowse
                                                                                          f47YPsvRI3.dllGet hashmaliciousBrowse
                                                                                            2n64VXT08V.dllGet hashmaliciousBrowse
                                                                                              qUr4bXsweR.dllGet hashmaliciousBrowse
                                                                                                52O6evfqQT.dllGet hashmaliciousBrowse
                                                                                                  ONEitXKvz6.dllGet hashmaliciousBrowse
                                                                                                    1w9i8K6AzWV5RmHTSn8.dllGet hashmaliciousBrowse
                                                                                                      78.46.73.1255YO8hZg21O.dllGet hashmaliciousBrowse
                                                                                                        dUGnMYeP1C.dllGet hashmaliciousBrowse
                                                                                                          yFAXc9z51V.dllGet hashmaliciousBrowse
                                                                                                            9fC0as7YLE.dllGet hashmaliciousBrowse
                                                                                                              FIyE6huzxV.dllGet hashmaliciousBrowse
                                                                                                                V0gZWRXv8d.dllGet hashmaliciousBrowse
                                                                                                                  t5EuQW2GUF.dllGet hashmaliciousBrowse
                                                                                                                    uh1WyesPlh.dllGet hashmaliciousBrowse
                                                                                                                      8rryPzJR1p.dllGet hashmaliciousBrowse
                                                                                                                        a65FgjVus4.dllGet hashmaliciousBrowse
                                                                                                                          bWjYh6H8wk.dllGet hashmaliciousBrowse
                                                                                                                            ZJOHKItBoJ.dllGet hashmaliciousBrowse
                                                                                                                              eyPPiz3W6u.dllGet hashmaliciousBrowse
                                                                                                                                HjYSwxqyUn.dllGet hashmaliciousBrowse
                                                                                                                                  f47YPsvRI3.dllGet hashmaliciousBrowse
                                                                                                                                    2n64VXT08V.dllGet hashmaliciousBrowse
                                                                                                                                      qUr4bXsweR.dllGet hashmaliciousBrowse
                                                                                                                                        52O6evfqQT.dllGet hashmaliciousBrowse
                                                                                                                                          ONEitXKvz6.dllGet hashmaliciousBrowse
                                                                                                                                            1w9i8K6AzWV5RmHTSn8.dllGet hashmaliciousBrowse

                                                                                                                                              Domains

                                                                                                                                              No context

                                                                                                                                              ASN

                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                              HETZNER-ASDE5YO8hZg21O.dllGet hashmaliciousBrowse
                                                                                                                                              • 78.47.204.80
                                                                                                                                              dUGnMYeP1C.dllGet hashmaliciousBrowse
                                                                                                                                              • 78.47.204.80
                                                                                                                                              yFAXc9z51V.dllGet hashmaliciousBrowse
                                                                                                                                              • 78.47.204.80
                                                                                                                                              9fC0as7YLE.dllGet hashmaliciousBrowse
                                                                                                                                              • 78.47.204.80
                                                                                                                                              FIyE6huzxV.dllGet hashmaliciousBrowse
                                                                                                                                              • 78.47.204.80
                                                                                                                                              V0gZWRXv8d.dllGet hashmaliciousBrowse
                                                                                                                                              • 78.47.204.80
                                                                                                                                              t5EuQW2GUF.dllGet hashmaliciousBrowse
                                                                                                                                              • 78.47.204.80
                                                                                                                                              uh1WyesPlh.dllGet hashmaliciousBrowse
                                                                                                                                              • 78.47.204.80
                                                                                                                                              8rryPzJR1p.dllGet hashmaliciousBrowse
                                                                                                                                              • 78.47.204.80
                                                                                                                                              a65FgjVus4.dllGet hashmaliciousBrowse
                                                                                                                                              • 78.47.204.80
                                                                                                                                              bWjYh6H8wk.dllGet hashmaliciousBrowse
                                                                                                                                              • 78.47.204.80
                                                                                                                                              ZJOHKItBoJ.dllGet hashmaliciousBrowse
                                                                                                                                              • 78.47.204.80
                                                                                                                                              eyPPiz3W6u.dllGet hashmaliciousBrowse
                                                                                                                                              • 78.47.204.80
                                                                                                                                              HjYSwxqyUn.dllGet hashmaliciousBrowse
                                                                                                                                              • 78.47.204.80
                                                                                                                                              f47YPsvRI3.dllGet hashmaliciousBrowse
                                                                                                                                              • 78.47.204.80
                                                                                                                                              2n64VXT08V.dllGet hashmaliciousBrowse
                                                                                                                                              • 78.47.204.80
                                                                                                                                              qUr4bXsweR.dllGet hashmaliciousBrowse
                                                                                                                                              • 78.47.204.80
                                                                                                                                              52O6evfqQT.dllGet hashmaliciousBrowse
                                                                                                                                              • 78.47.204.80
                                                                                                                                              ONEitXKvz6.dllGet hashmaliciousBrowse
                                                                                                                                              • 78.47.204.80
                                                                                                                                              F2433DFBA69148A0C3A5A5951D360B6C3C045090DE06F.exeGet hashmaliciousBrowse
                                                                                                                                              • 5.9.162.45
                                                                                                                                              AS-CHOOPAUS5YO8hZg21O.dllGet hashmaliciousBrowse
                                                                                                                                              • 66.42.57.149
                                                                                                                                              dUGnMYeP1C.dllGet hashmaliciousBrowse
                                                                                                                                              • 66.42.57.149
                                                                                                                                              yFAXc9z51V.dllGet hashmaliciousBrowse
                                                                                                                                              • 66.42.57.149
                                                                                                                                              9fC0as7YLE.dllGet hashmaliciousBrowse
                                                                                                                                              • 66.42.57.149
                                                                                                                                              FIyE6huzxV.dllGet hashmaliciousBrowse
                                                                                                                                              • 66.42.57.149
                                                                                                                                              V0gZWRXv8d.dllGet hashmaliciousBrowse
                                                                                                                                              • 66.42.57.149
                                                                                                                                              t5EuQW2GUF.dllGet hashmaliciousBrowse
                                                                                                                                              • 66.42.57.149
                                                                                                                                              uh1WyesPlh.dllGet hashmaliciousBrowse
                                                                                                                                              • 66.42.57.149
                                                                                                                                              8rryPzJR1p.dllGet hashmaliciousBrowse
                                                                                                                                              • 66.42.57.149
                                                                                                                                              a65FgjVus4.dllGet hashmaliciousBrowse
                                                                                                                                              • 66.42.57.149
                                                                                                                                              bWjYh6H8wk.dllGet hashmaliciousBrowse
                                                                                                                                              • 66.42.57.149
                                                                                                                                              ZJOHKItBoJ.dllGet hashmaliciousBrowse
                                                                                                                                              • 66.42.57.149
                                                                                                                                              eyPPiz3W6u.dllGet hashmaliciousBrowse
                                                                                                                                              • 66.42.57.149
                                                                                                                                              HjYSwxqyUn.dllGet hashmaliciousBrowse
                                                                                                                                              • 66.42.57.149
                                                                                                                                              f47YPsvRI3.dllGet hashmaliciousBrowse
                                                                                                                                              • 66.42.57.149
                                                                                                                                              2n64VXT08V.dllGet hashmaliciousBrowse
                                                                                                                                              • 66.42.57.149
                                                                                                                                              qUr4bXsweR.dllGet hashmaliciousBrowse
                                                                                                                                              • 66.42.57.149
                                                                                                                                              52O6evfqQT.dllGet hashmaliciousBrowse
                                                                                                                                              • 66.42.57.149
                                                                                                                                              ONEitXKvz6.dllGet hashmaliciousBrowse
                                                                                                                                              • 66.42.57.149
                                                                                                                                              F2433DFBA69148A0C3A5A5951D360B6C3C045090DE06F.exeGet hashmaliciousBrowse
                                                                                                                                              • 149.28.253.196
                                                                                                                                              EcobandGH5YO8hZg21O.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              dUGnMYeP1C.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              yFAXc9z51V.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              9fC0as7YLE.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              FIyE6huzxV.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              V0gZWRXv8d.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              t5EuQW2GUF.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              uh1WyesPlh.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              8rryPzJR1p.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              a65FgjVus4.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              bWjYh6H8wk.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              ZJOHKItBoJ.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              eyPPiz3W6u.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              HjYSwxqyUn.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              f47YPsvRI3.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              2n64VXT08V.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              qUr4bXsweR.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              52O6evfqQT.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              ONEitXKvz6.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190
                                                                                                                                              1w9i8K6AzWV5RmHTSn8.dllGet hashmaliciousBrowse
                                                                                                                                              • 196.44.98.190

                                                                                                                                              JA3 Fingerprints

                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                              51c64c77e60f3980eea90869b68c58a85YO8hZg21O.dllGet hashmaliciousBrowse
                                                                                                                                              • 51.178.61.60
                                                                                                                                              dUGnMYeP1C.dllGet hashmaliciousBrowse
                                                                                                                                              • 51.178.61.60
                                                                                                                                              yFAXc9z51V.dllGet hashmaliciousBrowse
                                                                                                                                              • 51.178.61.60
                                                                                                                                              9fC0as7YLE.dllGet hashmaliciousBrowse
                                                                                                                                              • 51.178.61.60
                                                                                                                                              FIyE6huzxV.dllGet hashmaliciousBrowse
                                                                                                                                              • 51.178.61.60
                                                                                                                                              V0gZWRXv8d.dllGet hashmaliciousBrowse
                                                                                                                                              • 51.178.61.60
                                                                                                                                              t5EuQW2GUF.dllGet hashmaliciousBrowse
                                                                                                                                              • 51.178.61.60
                                                                                                                                              uh1WyesPlh.dllGet hashmaliciousBrowse
                                                                                                                                              • 51.178.61.60
                                                                                                                                              8rryPzJR1p.dllGet hashmaliciousBrowse
                                                                                                                                              • 51.178.61.60
                                                                                                                                              a65FgjVus4.dllGet hashmaliciousBrowse
                                                                                                                                              • 51.178.61.60
                                                                                                                                              bWjYh6H8wk.dllGet hashmaliciousBrowse
                                                                                                                                              • 51.178.61.60
                                                                                                                                              ZJOHKItBoJ.dllGet hashmaliciousBrowse
                                                                                                                                              • 51.178.61.60
                                                                                                                                              eyPPiz3W6u.dllGet hashmaliciousBrowse
                                                                                                                                              • 51.178.61.60
                                                                                                                                              02D6463C8D80183F843D874AB427C11FC47B6B9CE4726.exeGet hashmaliciousBrowse
                                                                                                                                              • 51.178.61.60
                                                                                                                                              HjYSwxqyUn.dllGet hashmaliciousBrowse
                                                                                                                                              • 51.178.61.60
                                                                                                                                              f47YPsvRI3.dllGet hashmaliciousBrowse
                                                                                                                                              • 51.178.61.60
                                                                                                                                              2n64VXT08V.dllGet hashmaliciousBrowse
                                                                                                                                              • 51.178.61.60
                                                                                                                                              qUr4bXsweR.dllGet hashmaliciousBrowse
                                                                                                                                              • 51.178.61.60
                                                                                                                                              52O6evfqQT.dllGet hashmaliciousBrowse
                                                                                                                                              • 51.178.61.60
                                                                                                                                              ONEitXKvz6.dllGet hashmaliciousBrowse
                                                                                                                                              • 51.178.61.60

                                                                                                                                              Dropped Files

                                                                                                                                              No context

                                                                                                                                              Created / dropped Files

                                                                                                                                              No created / dropped files found

                                                                                                                                              Static File Info

                                                                                                                                              General

                                                                                                                                              File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                              Entropy (8bit):7.178846163511901
                                                                                                                                              TrID:
                                                                                                                                              • Win32 Dynamic Link Library (generic) (1002004/3) 99.40%
                                                                                                                                              • Clipper DOS Executable (2020/12) 0.20%
                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                                                                              • DOS Executable Generic (2002/1) 0.20%
                                                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                              File name:wNjqkrm8pH.dll
                                                                                                                                              File size:485376
                                                                                                                                              MD5:699b39c805f6a366707eb9a0e580bc0d
                                                                                                                                              SHA1:04489a4c9d50b62a9ff16f5baa67f568b2eb46ed
                                                                                                                                              SHA256:142d330305cf2bba895b000b9c7c2da6c6b38cb728d3fb347da8dd9f0bed4845
                                                                                                                                              SHA512:840b88d0d294b84b46e15eb6f6172171e370cc91d1dce89daa8d5dd5b9133683797b382fc61545c9fb73d4278819c48322c8063ccf6711611fc0442ae79ba31f
                                                                                                                                              SSDEEP:12288:bdv8jkvzqZvv2wLBymTi12yD88kYwZ1h1:b2Zvv2c1Ti1v0Z1h
                                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................................................................................................................................

                                                                                                                                              File Icon

                                                                                                                                              Icon Hash:74f0e4ecccdce0e4

                                                                                                                                              Static PE Info

                                                                                                                                              General

                                                                                                                                              Entrypoint:0x10015826
                                                                                                                                              Entrypoint Section:.text
                                                                                                                                              Digitally signed:false
                                                                                                                                              Imagebase:0x10000000
                                                                                                                                              Subsystem:windows gui
                                                                                                                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                                                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                                                                              Time Stamp:0x61964C08 [Thu Nov 18 12:50:16 2021 UTC]
                                                                                                                                              TLS Callbacks:
                                                                                                                                              CLR (.Net) Version:
                                                                                                                                              OS Version Major:6
                                                                                                                                              OS Version Minor:0
                                                                                                                                              File Version Major:6
                                                                                                                                              File Version Minor:0
                                                                                                                                              Subsystem Version Major:6
                                                                                                                                              Subsystem Version Minor:0
                                                                                                                                              Import Hash:261bae8b02d2e7bf979e55d76b9dc786

                                                                                                                                              Entrypoint Preview

                                                                                                                                              Instruction
                                                                                                                                              push ebp
                                                                                                                                              mov ebp, esp
                                                                                                                                              cmp dword ptr [ebp+0Ch], 01h
                                                                                                                                              jne 00007FF1C8DD9A27h
                                                                                                                                              call 00007FF1C8DD9E7Ah
                                                                                                                                              push dword ptr [ebp+10h]
                                                                                                                                              push dword ptr [ebp+0Ch]
                                                                                                                                              push dword ptr [ebp+08h]
                                                                                                                                              call 00007FF1C8DD98D8h
                                                                                                                                              add esp, 0Ch
                                                                                                                                              pop ebp
                                                                                                                                              retn 000Ch
                                                                                                                                              push ebp
                                                                                                                                              mov ebp, esp
                                                                                                                                              push esi
                                                                                                                                              push dword ptr [ebp+08h]
                                                                                                                                              mov esi, ecx
                                                                                                                                              call 00007FF1C8DC586Eh
                                                                                                                                              mov dword ptr [esi], 1003B3E8h
                                                                                                                                              mov eax, esi
                                                                                                                                              pop esi
                                                                                                                                              pop ebp
                                                                                                                                              retn 0004h
                                                                                                                                              and dword ptr [ecx+04h], 00000000h
                                                                                                                                              mov eax, ecx
                                                                                                                                              and dword ptr [ecx+08h], 00000000h
                                                                                                                                              mov dword ptr [ecx+04h], 1003B3F0h
                                                                                                                                              mov dword ptr [ecx], 1003B3E8h
                                                                                                                                              ret
                                                                                                                                              push ebp
                                                                                                                                              mov ebp, esp
                                                                                                                                              push esi
                                                                                                                                              push dword ptr [ebp+08h]
                                                                                                                                              mov esi, ecx
                                                                                                                                              call 00007FF1C8DC583Bh
                                                                                                                                              mov dword ptr [esi], 1003B404h
                                                                                                                                              mov eax, esi
                                                                                                                                              pop esi
                                                                                                                                              pop ebp
                                                                                                                                              retn 0004h
                                                                                                                                              and dword ptr [ecx+04h], 00000000h
                                                                                                                                              mov eax, ecx
                                                                                                                                              and dword ptr [ecx+08h], 00000000h
                                                                                                                                              mov dword ptr [ecx+04h], 1003B40Ch
                                                                                                                                              mov dword ptr [ecx], 1003B404h
                                                                                                                                              ret
                                                                                                                                              push ebp
                                                                                                                                              mov ebp, esp
                                                                                                                                              push esi
                                                                                                                                              mov esi, ecx
                                                                                                                                              lea eax, dword ptr [esi+04h]
                                                                                                                                              mov dword ptr [esi], 1003B3DCh
                                                                                                                                              push eax
                                                                                                                                              call 00007FF1C8DDD136h
                                                                                                                                              test byte ptr [ebp+08h], 00000001h
                                                                                                                                              pop ecx
                                                                                                                                              je 00007FF1C8DD9A2Ch
                                                                                                                                              push 0000000Ch
                                                                                                                                              push esi
                                                                                                                                              call 00007FF1C8DD8EADh
                                                                                                                                              pop ecx
                                                                                                                                              pop ecx
                                                                                                                                              mov eax, esi
                                                                                                                                              pop esi
                                                                                                                                              pop ebp
                                                                                                                                              retn 0004h
                                                                                                                                              push ebp
                                                                                                                                              mov ebp, esp
                                                                                                                                              sub esp, 0Ch
                                                                                                                                              lea ecx, dword ptr [ebp-0Ch]
                                                                                                                                              call 00007FF1C8DD999Fh
                                                                                                                                              push 0004CC44h

                                                                                                                                              Data Directories

                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x4d7100x5c0.rdata
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x4dcd00xb4.rdata
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x520000x24410.rsrc
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x770000x33a0.reloc
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x498f80x40.rdata
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x3b0000x2f8.rdata
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                              Sections

                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                              .text0x10000x3930c0x39400False0.530729735262data6.66187646144IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                              .rdata0x3b0000x13cfe0x13e00False0.464512087264data5.41556152438IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                              .data0x4f0000x252c0x1800False0.223795572917data3.845062089IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                              .rsrc0x520000x244100x24600False0.818513745704data7.74948390886IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                              .reloc0x770000x33a00x3400False0.71484375data6.58405020621IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                              Resources

                                                                                                                                              NameRVASizeTypeLanguageCountry
                                                                                                                                              REGISTRY0x758d00x98ASCII text, with CRLF line terminatorsEnglishUnited States
                                                                                                                                              REGISTRY0x759680x260ASCII text, with CRLF line terminatorsEnglishUnited States
                                                                                                                                              TYPELIB0x75bc80x69cdataEnglishUnited States
                                                                                                                                              RT_BITMAP0x522200x23467dataEnglishUnited States
                                                                                                                                              RT_STRING0x762680x26dataEnglishUnited States
                                                                                                                                              RT_VERSION0x756880x244dataEnglishUnited States
                                                                                                                                              RT_MANIFEST0x762900x17dXML 1.0 document textEnglishUnited States

                                                                                                                                              Imports

                                                                                                                                              DLLImport
                                                                                                                                              pdh.dllPdhGetFormattedCounterValue, PdhCollectQueryData, PdhCloseQuery, PdhRemoveCounter, PdhAddCounterW, PdhValidatePathW, PdhOpenQueryW
                                                                                                                                              KERNEL32.dllGetErrorMode, GetThreadErrorMode, GetCommandLineA, GetEnvironmentStringsW, GetCurrentProcessorNumber, IsDebuggerPresent, GetTickCount64, AreFileApisANSI, GetOEMCP, GetCommandLineW, TlsAlloc, GetCurrentThreadId, GetSystemDefaultUILanguage, MultiByteToWideChar, RaiseException, GetLastError, InitializeCriticalSectionEx, DeleteCriticalSection, DecodePointer, EnterCriticalSection, LeaveCriticalSection, LoadResource, SizeofResource, FindResourceW, GetModuleHandleW, GetProcAddress, LoadLibraryExW, GetModuleFileNameW, lstrcmpiW, FreeLibrary, MulDiv, SetLastError, TerminateProcess, SetFilePointerEx, ReadConsoleW, GetConsoleMode, GetConsoleCP, WriteFile, GetCurrentThread, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, FreeEnvironmentStringsW, IsValidCodePage, FindFirstFileExA, HeapReAlloc, HeapSize, GetFileType, GetStdHandle, GetModuleFileNameA, GetModuleHandleExW, ExitProcess, InterlockedFlushSList, RtlUnwind, LocalFree, LoadLibraryExA, VirtualFree, VirtualAlloc, FlushInstructionCache, InterlockedPushEntrySList, InterlockedPopEntrySList, HeapFree, HeapAlloc, OutputDebugStringW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, TlsFree, TlsSetValue, TlsGetValue, InitializeCriticalSectionAndSpinCount, EncodePointer, GetSystemDefaultLangID, GetACP, SwitchToThread, IsProcessorFeaturePresent, UnregisterApplicationRestart, IsSystemResumeAutomatic, GetProcessHeap, CloseHandle, ReadFile, FindClose, GetUserDefaultUILanguage, FindNextFileA, SetStdHandle, WriteConsoleW, CreateFileW, GetCurrentProcess, SetUnhandledExceptionFilter, FlushFileBuffers, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentProcessId, QueryPerformanceCounter, GetStartupInfoW, UnhandledExceptionFilter
                                                                                                                                              USER32.dllGetMenuCheckMarkDimensions, GetForegroundWindow, AnyPopup, CloseClipboard, GetClipboardViewer, GetWindowLongW, GetKBCodePage, CallWindowProcW, DrawTextW, InsertMenuW, RegisterClassExW, LoadCursorW, GetClassInfoExW, DefWindowProcW, IsWindow, GetParent, SetTimer, ShowWindow, InvalidateRect, ReleaseDC, GetDC, EndPaint, BeginPaint, ClientToScreen, GetClientRect, SendMessageW, DestroyWindow, CreateWindowExW, SetWindowLongW, CharNextW, UnregisterClassW, DestroyCaret, EmptyClipboard, GetDialogBaseUnits, GetShellWindow, GetOpenClipboardWindow
                                                                                                                                              GDI32.dllSetBkMode, SetTextColor, CreateFontW, DeleteDC, BitBlt, CreateCompatibleDC, CreateCompatibleBitmap, DeleteObject, SelectObject, GetDeviceCaps, GetTextMetricsW
                                                                                                                                              ADVAPI32.dllRegDeleteValueW, RegQueryInfoKeyW, RegSetValueExW, RegEnumKeyExW, RegCloseKey, RegDeleteKeyW, RegCreateKeyExW, RegOpenKeyExW
                                                                                                                                              SHELL32.dllShellExecuteW, SHGetFolderPathW
                                                                                                                                              ole32.dllCoFreeUnusedLibraries, CoUninitialize, CoCreateInstance, CoInitialize, OleRun, CoTaskMemAlloc, CoTaskMemRealloc, CoTaskMemFree
                                                                                                                                              OLEAUT32.dllLoadRegTypeLib, SysAllocStringLen, SysFreeString, SysAllocString, SysStringLen, VarBstrCmp, VariantInit, VariantClear, VariantCopy, VariantChangeType, VarUI4FromStr, LoadTypeLib

                                                                                                                                              Exports

                                                                                                                                              NameOrdinalAddress
                                                                                                                                              Control_RunDLL10x10001200
                                                                                                                                              abziuleoxsborpb20x10001570
                                                                                                                                              aejkroaebsbxdnkhb30x10001430
                                                                                                                                              amgshvm40x10001340
                                                                                                                                              bjtmgxqrshhlmbh50x10001320
                                                                                                                                              ciqnowraabbra60x100013e0
                                                                                                                                              cmiqzvq70x10001450
                                                                                                                                              crprctzst80x10001360
                                                                                                                                              cwiynhgawsfh90x100012f0
                                                                                                                                              dhfyfrdbpo100x100012c0
                                                                                                                                              dvmyigplnf110x10001480
                                                                                                                                              erlpzdqhrlacaxnda120x10001440
                                                                                                                                              euduauchas130x100014b0
                                                                                                                                              fjorczheej140x10001390
                                                                                                                                              fqtruzg150x100014c0
                                                                                                                                              fzxvmnutn160x100014d0
                                                                                                                                              ghrfpkc170x10001280
                                                                                                                                              ghrmmrvezk180x10001530
                                                                                                                                              hjbgnfzrilso190x100015d0
                                                                                                                                              hvbblczdjkdx200x10001310
                                                                                                                                              ifsmmtyjag210x10001310
                                                                                                                                              jbgiwxjtyvvaxuitk220x10001410
                                                                                                                                              jhjtpuvq230x10001260
                                                                                                                                              jovvzziqyeznb240x100015a0
                                                                                                                                              kbkufclc250x100014e0
                                                                                                                                              kxpdpqduritjwfv260x10001560
                                                                                                                                              lfirwsslmgzmfg270x10001330
                                                                                                                                              mdaepyqwwigtzy280x10001500
                                                                                                                                              meqzizr290x10001350
                                                                                                                                              mmykgdmikdunzlhbb300x10001520
                                                                                                                                              mxqliouinhlsqvw310x100013b0
                                                                                                                                              mzxbssgzqetjmifs320x10001490
                                                                                                                                              ndzjkcaftnq330x10001510
                                                                                                                                              nfwlevhbaunupm340x100013c0
                                                                                                                                              njhdfbkyxqtwtcvsa350x10001300
                                                                                                                                              nmzgdiluzbemovs360x10001400
                                                                                                                                              obsypougzzamg370x100013d0
                                                                                                                                              oqzjqpsxbjh380x100012d0
                                                                                                                                              ormmaboaiinycs390x10001230
                                                                                                                                              pejacnmfhwmlhqc400x10001340
                                                                                                                                              pzgjkxaqryk410x100015b0
                                                                                                                                              qlsxhmuh420x10001240
                                                                                                                                              rykrtqanuszehh430x10001550
                                                                                                                                              sktlwejyhkbweva440x100014a0
                                                                                                                                              sromrbjt450x10001460
                                                                                                                                              txrogplicljtdlky460x100012e0
                                                                                                                                              tywxzfemhfuvwwqtq470x10001270
                                                                                                                                              ukeirvjwemstdk480x10001250
                                                                                                                                              usfroye490x10001370
                                                                                                                                              varapmou500x100013a0
                                                                                                                                              vjfbgya510x100015c0
                                                                                                                                              vpzxnmg520x10001590
                                                                                                                                              wniijfgeibtaumvma530x100014f0
                                                                                                                                              wtkpnwha540x10001470
                                                                                                                                              xkdmdojzjns550x10001420
                                                                                                                                              yumftkya560x100012a0
                                                                                                                                              ywkvngmohrw570x10001380
                                                                                                                                              ywwwgcpzcec580x10001580
                                                                                                                                              yyldomdvsymz590x10001290
                                                                                                                                              zdcdzgtngf600x100012b0
                                                                                                                                              zwxnlwalmcbgmt610x100013f0
                                                                                                                                              zzvywuxdvuecsm620x10001540

                                                                                                                                              Version Infos

                                                                                                                                              DescriptionData
                                                                                                                                              InternalNameErulfuaekg.dll
                                                                                                                                              FileVersion3.3.7.9
                                                                                                                                              ProductNameErulfuaekg
                                                                                                                                              ProductVersion3.3.7.9
                                                                                                                                              FileDescriptionasdzxcqwe123
                                                                                                                                              OriginalFilenameErulfuaekg.dll
                                                                                                                                              Translation0x0408 0x04e4

                                                                                                                                              Possible Origin

                                                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                                                              EnglishUnited States

                                                                                                                                              Network Behavior

                                                                                                                                              Snort IDS Alerts

                                                                                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                              11/19/21-01:05:43.275474TCP2404334ET CNC Feodo Tracker Reported CnC Server TCP group 1849747443192.168.2.351.178.61.60

                                                                                                                                              Network Port Distribution

                                                                                                                                              TCP Packets

                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                              Nov 19, 2021 01:05:43.275474072 CET49747443192.168.2.351.178.61.60
                                                                                                                                              Nov 19, 2021 01:05:43.275517941 CET4434974751.178.61.60192.168.2.3
                                                                                                                                              Nov 19, 2021 01:05:43.275712967 CET49747443192.168.2.351.178.61.60
                                                                                                                                              Nov 19, 2021 01:05:43.299204111 CET49747443192.168.2.351.178.61.60
                                                                                                                                              Nov 19, 2021 01:05:43.299223900 CET4434974751.178.61.60192.168.2.3
                                                                                                                                              Nov 19, 2021 01:05:43.413537025 CET4434974751.178.61.60192.168.2.3
                                                                                                                                              Nov 19, 2021 01:05:43.413645029 CET49747443192.168.2.351.178.61.60
                                                                                                                                              Nov 19, 2021 01:05:44.099797964 CET49747443192.168.2.351.178.61.60
                                                                                                                                              Nov 19, 2021 01:05:44.099821091 CET4434974751.178.61.60192.168.2.3
                                                                                                                                              Nov 19, 2021 01:05:44.100207090 CET4434974751.178.61.60192.168.2.3
                                                                                                                                              Nov 19, 2021 01:05:44.100284100 CET49747443192.168.2.351.178.61.60
                                                                                                                                              Nov 19, 2021 01:05:44.103406906 CET49747443192.168.2.351.178.61.60
                                                                                                                                              Nov 19, 2021 01:05:44.144865990 CET4434974751.178.61.60192.168.2.3
                                                                                                                                              Nov 19, 2021 01:05:44.345132113 CET4434974751.178.61.60192.168.2.3
                                                                                                                                              Nov 19, 2021 01:05:44.345248938 CET4434974751.178.61.60192.168.2.3
                                                                                                                                              Nov 19, 2021 01:05:44.345266104 CET49747443192.168.2.351.178.61.60
                                                                                                                                              Nov 19, 2021 01:05:44.345321894 CET49747443192.168.2.351.178.61.60
                                                                                                                                              Nov 19, 2021 01:05:44.458115101 CET49747443192.168.2.351.178.61.60
                                                                                                                                              Nov 19, 2021 01:05:44.458143950 CET4434974751.178.61.60192.168.2.3

                                                                                                                                              HTTP Request Dependency Graph

                                                                                                                                              • 51.178.61.60

                                                                                                                                              HTTPS Proxied Packets

                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                              0192.168.2.34974751.178.61.60443C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                              2021-11-19 00:05:44 UTC0OUTGET /BJKdnuOnKNLLGEDBpJpeXPiWYvJQgGvoYhhdIpnN HTTP/1.1
                                                                                                                                              Cookie: kpcXAWpZfRkJEAy=i+5bJ+1ZInDjvfPM+1JhKt+KWj8rVMERTO3MBxIOillAvxAx2ioHmQPbtLgNLA6EGFRwLshnv6kCnZWyIXAgbMZzd1u5zeY7pIcnc7NYlk4ptgX0JiJVkIXW1dfaYySomVYPcSiwpIcomQgIb/a5XevS7QE2etUd+zxfOWZFj62QjzAO7FAj4VKuBSkPo+IBUjmiQKTNcL09qokscyBsIQcAMaCCPfrdl8uN2W5z+g+7
                                                                                                                                              Host: 51.178.61.60
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              2021-11-19 00:05:44 UTC0INHTTP/1.1 200 OK
                                                                                                                                              Server: nginx
                                                                                                                                              Date: Fri, 19 Nov 2021 00:05:44 GMT
                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: close
                                                                                                                                              2021-11-19 00:05:44 UTC0INData Raw: 33 65 66 0d 0a 64 ca 1e 80 24 75 d9 5f ee 00 12 92 90 60 fe f8 4d d1 a6 22 5d 8c 03 6e 4b a1 65 50 63 f0 b0 2c 53 25 07 40 a3 d4 75 42 b0 75 c8 40 29 fa 6d bd 0e 24 50 70 4b a0 6d 4a 27 64 30 32 1c a5 25 f6 a7 bb 80 a9 b6 03 92 b0 86 98 93 28 65 f6 fe 17 3c 99 d3 e1 42 66 bc 20 1d de 33 25 a4 8e 5c 71 33 e9 ca 67 9b 05 79 4c cf b2 00 84 fa c7 cc 22 0c b8 4d ea ea 2b 14 fa 7a f2 30 5f e2 99 0e b9 6b 60 ce 5f b4 b8 2b 21 87 95 68 af c6 3e b3 b9 ae f2 90 f2 ba 41 bc dc 54 85 fb 2b 24 b4 82 48 be e2 65 61 34 59 b3 40 c2 f7 db 69 ed 16 4d 8a f2 1f 59 b0 eb 38 4b c6 36 68 f8 75 17 c3 98 f6 b0 3c cc b2 08 8a bd 1c 2f b7 cf a2 d1 fe e9 df 23 dd 25 e4 6f ab 7c be 65 6e 4f 19 56 78 f9 f1 73 7d 71 19 7c 8d 08 35 28 57 9f f0 2d 2b 35 7e 87 17 f5 5a f0 0e f3 d7 86 b1
                                                                                                                                              Data Ascii: 3efd$u_`M"]nKePc,S%@uBu@)m$PpKmJ'd02%(e<Bf 3%\q3gyL"M+z0_k`_+!h>AT+$Hea4Y@iMY8K6hu</#%o|enOVxs}q|5(W-+5~Z


                                                                                                                                              Code Manipulations

                                                                                                                                              Statistics

                                                                                                                                              Behavior

                                                                                                                                              Click to jump to process

                                                                                                                                              System Behavior

                                                                                                                                              General

                                                                                                                                              Start time:01:04:10
                                                                                                                                              Start date:19/11/2021
                                                                                                                                              Path:C:\Windows\System32\loaddll32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:loaddll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll"
                                                                                                                                              Imagebase:0xe10000
                                                                                                                                              File size:893440 bytes
                                                                                                                                              MD5 hash:72FCD8FB0ADC38ED9050569AD673650E
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.415487729.000000000117D000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Start time:01:04:10
                                                                                                                                              Start date:19/11/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",#1
                                                                                                                                              Imagebase:0xd80000
                                                                                                                                              File size:232960 bytes
                                                                                                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Start time:01:04:11
                                                                                                                                              Start date:19/11/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,Control_RunDLL
                                                                                                                                              Imagebase:0x1150000
                                                                                                                                              File size:61952 bytes
                                                                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.352283785.0000000000E2A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Start time:01:04:11
                                                                                                                                              Start date:19/11/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",#1
                                                                                                                                              Imagebase:0x1150000
                                                                                                                                              File size:61952 bytes
                                                                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.352402052.000000000344A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Start time:01:04:15
                                                                                                                                              Start date:19/11/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,abziuleoxsborpb
                                                                                                                                              Imagebase:0x1150000
                                                                                                                                              File size:61952 bytes
                                                                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.415304095.00000000032EA000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Start time:01:04:23
                                                                                                                                              Start date:19/11/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,aejkroaebsbxdnkhb
                                                                                                                                              Imagebase:0x1150000
                                                                                                                                              File size:61952 bytes
                                                                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.413760673.0000000000D1A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Start time:01:04:38
                                                                                                                                              Start date:19/11/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL
                                                                                                                                              Imagebase:0x1150000
                                                                                                                                              File size:61952 bytes
                                                                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Start time:01:04:38
                                                                                                                                              Start date:19/11/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hsngzdtsiohsyp\jlodhhplzusb.iie",cwqsUWjgRvl
                                                                                                                                              Imagebase:0x1150000
                                                                                                                                              File size:61952 bytes
                                                                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.426884632.000000000328A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Start time:01:04:56
                                                                                                                                              Start date:19/11/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL
                                                                                                                                              Imagebase:0x1150000
                                                                                                                                              File size:61952 bytes
                                                                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Start time:01:05:05
                                                                                                                                              Start date:19/11/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL
                                                                                                                                              Imagebase:0x1150000
                                                                                                                                              File size:61952 bytes
                                                                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              General

                                                                                                                                              Start time:01:05:06
                                                                                                                                              Start date:19/11/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL
                                                                                                                                              Imagebase:0x1150000
                                                                                                                                              File size:61952 bytes
                                                                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                              General

                                                                                                                                              Start time:01:05:12
                                                                                                                                              Start date:19/11/2021
                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                              Imagebase:0x7ff70d6e0000
                                                                                                                                              File size:51288 bytes
                                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                              General

                                                                                                                                              Start time:01:05:13
                                                                                                                                              Start date:19/11/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Hsngzdtsiohsyp\jlodhhplzusb.iie",Control_RunDLL
                                                                                                                                              Imagebase:0x1150000
                                                                                                                                              File size:61952 bytes
                                                                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.816631755.0000000000C67000.00000004.00000020.sdmp, Author: Joe Security

                                                                                                                                              General

                                                                                                                                              Start time:01:05:48
                                                                                                                                              Start date:19/11/2021
                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                              Imagebase:0x7ff70d6e0000
                                                                                                                                              File size:51288 bytes
                                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                              General

                                                                                                                                              Start time:01:06:12
                                                                                                                                              Start date:19/11/2021
                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                              Imagebase:0x7ff70d6e0000
                                                                                                                                              File size:51288 bytes
                                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                              General

                                                                                                                                              Start time:01:06:35
                                                                                                                                              Start date:19/11/2021
                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                              Imagebase:0x7ff70d6e0000
                                                                                                                                              File size:51288 bytes
                                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                              Disassembly

                                                                                                                                              Code Analysis

                                                                                                                                              Reset < >