Windows Analysis Report pPX9DaPVYj

Overview

General Information

Sample Name:	pPX9DaPVYj (renamed file extension from none to dll)
Analysis ID:	528003
MD5:	8b540033f4ffd79e5109e41a06f3e876
SHA1:	86a8b94f1a3102ad3741fabccfe5ea5d9a3bf624
SHA256:	2b3700c2a383b322dadfebfea00d9bc85b05a37793dc366954dd8c882f3006e2
Tags:	dll
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Sigma detected: Emotet RunDLL32 Process Creation

Multi AV Scanner detection for domain / URL

Changes security center settings (notifications, updates, antivirus, firewall)

Machine Learning detection for sample

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

PE file contains an invalid checksum

PE file contains strange resources

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 6.2.rundll32.exe.3146c98.0.raw.unpack

Malware Configuration Extractor: Emotet {"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Multi AV Scanner detection for submitted file

Source: pPX9DaPVYj.dll	Virustotal: Detection: 17%			Perma Link
Source: pPX9DaPVYj.dll	ReversingLabs: Detection: 17%

Multi AV Scanner detection for domain / URL

Source: https://196.44.98.190/

Virustotal: Detection: 10%

Perma Link

Machine Learning detection for sample

Source: pPX9DaPVYj.dll

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 7.2.rundll32.exe.28b6cb8.0.unpack

Avira: Label: TR/ATRAPS.Gen

Compliance:

Uses 32bit PE files

Source: pPX9DaPVYj.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.7:49751 version: TLS 1.2

Source: pPX9DaPVYj.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EFC188A FindFirstFileExW,	4_2_6EFC188A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6EFC188A FindFirstFileExW,	5_2_6EFC188A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10011A80 FindFirstFileW,	11_2_10011A80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.7:49751 -> 51.178.61.60:443
Source: Traffic	Snort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.7:49752 -> 168.197.250.14:80
Source: Traffic	Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.7:49753 -> 45.79.33.48:8080
Source: Traffic	Snort IDS: 2404322 ET CNC Feodo Tracker Reported CnC Server TCP group 12 192.168.2.7:49757 -> 196.44.98.190:8080
Source: Traffic	Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.7:49772 -> 177.72.80.14:7080
Source: Traffic	Snort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 177.72.80.14:7080 -> 192.168.2.7:49772

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 196.44.98.190 144	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.79.33.48 144	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 168.197.250.14 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 51.178.61.60 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 177.72.80.14 168	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 51.178.61.60:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 45.79.33.48:8080
Source: Malware configuration extractor	IPs: 196.44.98.190:8080
Source: Malware configuration extractor	IPs: 177.72.80.14:7080
Source: Malware configuration extractor	IPs: 51.210.242.234:8080
Source: Malware configuration extractor	IPs: 185.148.169.10:8080
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 195.154.146.35:443

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: EcobandGH EcobandGH

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /euUFqPgNCDyXyAnWOWQLJNWJizfGCbPiK HTTP/1.1Cookie: VkztqiHrcfJdN=ApwlpkLXHikt80ZX+rUy7QNus1UrOzvArQ2wT9a3pzG/LUBUBtVLGWZUvhWo++76HscbZaar1ecNJ2NE9drzI+WYO0CrHXBK96gsrw5gCDv1H6FDJl4E1ekAk6rTT5+tRKnKwaubeNjES2yzAZ1ahqbQap+ahvLDVY0Qeg8dZyFp/mT2xfuy2YrZ9Y4gh8SdNUmOMTIzF7OqgRdAc+m0GdjTDMrrOF8BD44A4Z4RsQ0CT4V3SWcXRNU/sbnThRJ79M/3w70CfUdRJu8qNans8M5bB4RoXwYtmb2k0+VOyCLBxVpjHost: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View	IP Address: 196.44.98.190 196.44.98.190

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.7:49753 -> 45.79.33.48:8080
Source: global traffic	TCP traffic: 192.168.2.7:49757 -> 196.44.98.190:8080
Source: global traffic	TCP traffic: 192.168.2.7:49772 -> 177.72.80.14:7080

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 24 Nov 2021 15:52:19 GMTContent-Type: text/htmlContent-Length: 162Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown	TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown	TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown	TCP traffic detected without corresponding DNS query: 45.79.33.48
Source: unknown	TCP traffic detected without corresponding DNS query: 45.79.33.48
Source: unknown	TCP traffic detected without corresponding DNS query: 45.79.33.48
Source: unknown	TCP traffic detected without corresponding DNS query: 196.44.98.190
Source: unknown	TCP traffic detected without corresponding DNS query: 196.44.98.190
Source: unknown	TCP traffic detected without corresponding DNS query: 196.44.98.190
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14

Source: svchost.exe, 00000018.00000003.391800601.000001961E189000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 00000018.00000003.391800601.000001961E189000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 00000018.00000003.391800601.000001961E189000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.391812241.000001961E19B000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z\|\|.\|\|797d024d-8c74-4faa-b6a6-08435801478b\|\|1152921505694213184\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000018.00000003.391800601.000001961E189000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.391812241.000001961E19B000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z\|\|.\|\|797d024d-8c74-4faa-b6a6-08435801478b\|\|1152921505694213184\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"

Source: svchost.exe, 00000008.00000002.604698069.000001E15FA62000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000002.779087689.00000000031D7000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.328519511.00000000031D8000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.278820009.00000000031DD000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.513345990.00000000031D7000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.407621482.000001961E10B000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.408682546.000001961E10C000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000008.00000002.604698069.000001E15FA62000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: rundll32.exe, 0000000B.00000002.779087689.00000000031D7000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.513345990.00000000031D7000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: rundll32.exe, 0000000B.00000002.779087689.00000000031D7000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.513345990.00000000031D7000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: rundll32.exe, 0000000B.00000003.513345990.00000000031D7000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.11.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 00000018.00000003.386525296.000001961E18F000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.386693372.000001961E1AF000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.386618019.000001961E199000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.386570925.000001961E16C000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.386589261.000001961E17D000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.386716259.000001961E16C000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000008.00000002.604454697.000001E15A2B1000.00000004.00000001.sdmp, svchost.exe, 00000008.00000003.603917359.000001E15A2B1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: svchost.exe, 0000000F.00000002.307962780.0000025B4EE13000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000D.00000002.777972901.0000025622041000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000D.00000002.777972901.0000025622041000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: rundll32.exe, 0000000B.00000002.779087689.00000000031D7000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.328519511.00000000031D8000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.513345990.00000000031D7000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14/
Source: rundll32.exe, 0000000B.00000003.328519511.00000000031D8000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14/AR1B
Source: rundll32.exe, 0000000B.00000002.779087689.00000000031D7000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.328519511.00000000031D8000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.513345990.00000000031D7000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14/HR
Source: rundll32.exe, 0000000B.00000002.779087689.00000000031D7000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.328519511.00000000031D8000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.513345990.00000000031D7000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14:80/ctsONulME
Source: rundll32.exe, 0000000B.00000003.328519511.00000000031D8000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14:80/z
Source: rundll32.exe, 0000000B.00000002.779087689.00000000031D7000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.513345990.00000000031D7000.00000004.00000001.sdmp	String found in binary or memory: https://177.72.80.14/
Source: rundll32.exe, 0000000B.00000002.779087689.00000000031D7000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.513345990.00000000031D7000.00000004.00000001.sdmp	String found in binary or memory: https://177.72.80.14/ZR8B
Source: rundll32.exe, 0000000B.00000002.779087689.00000000031D7000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.513345990.00000000031D7000.00000004.00000001.sdmp	String found in binary or memory: https://177.72.80.14:7080/iWFUUeWljUhVsRHEOKBBOqGWSiJFZYkHnHENgHC
Source: rundll32.exe, 0000000B.00000002.779087689.00000000031D7000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.513345990.00000000031D7000.00000004.00000001.sdmp	String found in binary or memory: https://196.44.98.190/
Source: rundll32.exe, 0000000B.00000002.779087689.00000000031D7000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.513345990.00000000031D7000.00000004.00000001.sdmp	String found in binary or memory: https://196.44.98.190:8080/fRmCLCTmnCqbhnJwguPmnKiWalLOGONSERVER=
Source: rundll32.exe, 0000000B.00000003.513345990.00000000031D7000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48/
Source: rundll32.exe, 0000000B.00000003.328519511.00000000031D8000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48:8080/
Source: rundll32.exe, 0000000B.00000003.328519511.00000000031D8000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48:8080/J
Source: rundll32.exe, 0000000B.00000003.328519511.00000000031D8000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.513345990.00000000031D7000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48:8080/PrpBPOmfFHGkdQRTlGtZeqncCXIcx
Source: rundll32.exe, 0000000B.00000003.328519511.00000000031D8000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48:8080/PrpBPOmfFHGkdQRTlGtZeqncCXIcx5E4AB229
Source: rundll32.exe, 0000000B.00000002.779087689.00000000031D7000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.328519511.00000000031D8000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.513345990.00000000031D7000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48:8080/PrpBPOmfFHGkdQRTlGtZeqncCXIcxL
Source: rundll32.exe, 0000000B.00000003.328519511.00000000031D8000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48:8080/b
Source: rundll32.exe, 0000000B.00000003.328519511.00000000031D8000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48:8080/cx
Source: rundll32.exe, 0000000B.00000003.278901559.00000000031BA000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.328685207.00000000031BC000.00000004.00000001.sdmp	String found in binary or memory: https://51.178.61.60/
Source: rundll32.exe, 0000000B.00000003.278901559.00000000031BA000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.328685207.00000000031BC000.00000004.00000001.sdmp	String found in binary or memory: https://51.178.61.60/20
Source: rundll32.exe, 0000000B.00000003.328685207.00000000031BC000.00000004.00000001.sdmp	String found in binary or memory: https://51.178.61.60/euUFqPgNCDyXyAnWOWQLJNWJizfGCbPiK
Source: svchost.exe, 0000000D.00000002.777972901.0000025622041000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000F.00000003.307655084.0000025B4EE60000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000D.00000002.777972901.0000025622041000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000D.00000002.777972901.0000025622041000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000F.00000003.307669554.0000025B4EE49000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000F.00000003.307655084.0000025B4EE60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000F.00000002.307991216.0000025B4EE3D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000F.00000003.307655084.0000025B4EE60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000F.00000003.307634342.0000025B4EE51000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.308016792.0000025B4EE55000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000F.00000003.285856181.0000025B4EE30000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000F.00000003.307655084.0000025B4EE60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000F.00000002.307991216.0000025B4EE3D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000F.00000003.307655084.0000025B4EE60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000F.00000003.307655084.0000025B4EE60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000F.00000003.307655084.0000025B4EE60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000F.00000003.285856181.0000025B4EE30000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000F.00000003.307688552.0000025B4EE40000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000F.00000002.307997677.0000025B4EE42000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.307709990.0000025B4EE41000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.307688552.0000025B4EE40000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000F.00000003.307655084.0000025B4EE60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000F.00000002.308002830.0000025B4EE4B000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.307688552.0000025B4EE40000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.307669554.0000025B4EE49000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000018.00000003.386525296.000001961E18F000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.386693372.000001961E1AF000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.386618019.000001961E199000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.386570925.000001961E16C000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.386589261.000001961E17D000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.386716259.000001961E16C000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000F.00000003.307669554.0000025B4EE49000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000F.00000002.308002830.0000025B4EE4B000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.307669554.0000025B4EE49000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000F.00000002.308002830.0000025B4EE4B000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.307669554.0000025B4EE49000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000F.00000003.307703491.0000025B4EE45000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000F.00000003.307655084.0000025B4EE60000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000F.00000002.307991216.0000025B4EE3D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000F.00000003.285856181.0000025B4EE30000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000F.00000002.307991216.0000025B4EE3D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000F.00000002.307991216.0000025B4EE3D000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.307962780.0000025B4EE13000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000F.00000003.307688552.0000025B4EE40000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.307703491.0000025B4EE45000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000F.00000003.307688552.0000025B4EE40000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.307703491.0000025B4EE45000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000F.00000003.285856181.0000025B4EE30000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000F.00000003.285856181.0000025B4EE30000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.307722267.0000025B4EE39000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000F.00000002.307962780.0000025B4EE13000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 00000018.00000003.386525296.000001961E18F000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.386693372.000001961E1AF000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.386618019.000001961E199000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.386570925.000001961E16C000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.386589261.000001961E17D000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.386716259.000001961E16C000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000018.00000003.386525296.000001961E18F000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.386693372.000001961E1AF000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.386618019.000001961E199000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.386570925.000001961E16C000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.386589261.000001961E17D000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.386716259.000001961E16C000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000018.00000003.387694664.000001961E176000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.387711669.000001961E187000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 11_2_10021027 InternetReadFile,

11_2_10021027

Source: global traffic

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.7:49751 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: loaddll32.exe, 00000001.00000002.261078261.0000000000FEB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 11.3.rundll32.exe.3186e08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2aa6d88.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.3146c98.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.28b6cb8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.3186e08.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2aa6d88.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.3146c98.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.rundll32.exe.28b6cb8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.3146c98.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.rundll32.exe.3186e08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2eb6e00.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.3146c98.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.rundll32.exe.3186e08.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.28b6cb8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.3186e08.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2eb6e00.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.259345300.00000000028B6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.778948976.0000000003173000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.261741914.000000000310A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.258654572.0000000002AA6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.257305049.0000000003146000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.513585241.0000000003173000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.328562700.0000000003173000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.258124529.00000000028B6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.264342755.0000000002EB6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.278848660.0000000003173000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Uses 32bit PE files

Source: pPX9DaPVYj.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Vjqsuducipqiide\jbquc.oem:Zone.Identifier

Source: pPX9DaPVYj.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: pPX9DaPVYj.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\pPX9DaPVYj.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pPX9DaPVYj.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pPX9DaPVYj.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pPX9DaPVYj.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pPX9DaPVYj.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\pPX9DaPVYj.dll",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vjqsuducipqiide\jbquc.oem",sMzvxqlLQp
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Vjqsuducipqiide\jbquc.oem",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pPX9DaPVYj.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pPX9DaPVYj.dll,Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pPX9DaPVYj.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pPX9DaPVYj.dll,Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\pPX9DaPVYj.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vjqsuducipqiide\jbquc.oem",sMzvxqlLQp	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Vjqsuducipqiide\jbquc.oem",Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\7ce3e80173264ea19b05306b865eadf9
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4812:120:WilError_01

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: pPX9DaPVYj.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: pPX9DaPVYj.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: pPX9DaPVYj.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: pPX9DaPVYj.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: pPX9DaPVYj.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: pPX9DaPVYj.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: pPX9DaPVYj.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: pPX9DaPVYj.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: pPX9DaPVYj.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: pPX9DaPVYj.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: pPX9DaPVYj.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EFABAD4 push ebx; iretd	4_2_6EFABADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EFAC7C9 push esi; retf	4_2_6EFAC7D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EFA9C81 push eax; retf	4_2_6EFA9C83
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EFBD066 push ecx; ret	4_2_6EFBD079
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EFACDEB push esp; ret	4_2_6EFACDEC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EFA5DD9 push eax; ret	4_2_6EFA5DE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EFAAD03 push esi; iretd	4_2_6EFAAD14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6EFABAD4 push ebx; iretd	5_2_6EFABADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6EFAC7C9 push esi; retf	5_2_6EFAC7D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6EFA9C81 push eax; retf	5_2_6EFA9C83
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6EFBD066 push ecx; ret	5_2_6EFBD079
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6EFACDEB push esp; ret	5_2_6EFACDEC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6EFA5DD9 push eax; ret	5_2_6EFA5DE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6EFAAD03 push esi; iretd	5_2_6EFAAD14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10016134 push edi; retf 0040h	5_2_10016135
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10001229 push eax; retf	5_2_1000129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001475A pushfd ; iretd	5_2_1001475B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10001229 push eax; retf	6_2_1000129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10016134 push edi; retf 0040h	6_2_10016135
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001475A pushfd ; iretd	6_2_1001475B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10001229 push eax; retf	7_2_1000129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10016134 push edi; retf 0040h	7_2_10016135
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001475A pushfd ; iretd	7_2_1001475B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10001229 push eax; retf	9_2_1000129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10016134 push edi; retf 0040h	9_2_10016135
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_1001475A pushfd ; iretd	9_2_1001475B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10001229 push eax; retf	11_2_1000129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10016134 push edi; retf 0040h	11_2_10016135
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1001475A pushfd ; iretd	11_2_1001475B

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Vjqsuducipqiide\jbquc.oem:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Unedamop\kyuonpy.jno:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 1976	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1976	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5124	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: svchost.exe, 00000008.00000002.604698069.000001E15FA62000.00000004.00000001.sdmp	Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000008.00000002.604276820.000001E15A229000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.604674665.000001E15FA4C000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.278901559.00000000031BA000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.328685207.00000000031BC000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.408537691.000001961DAE7000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000018.00000002.408420499.000001961DA6F000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000D.00000002.777972901.0000025622041000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.777791842.0000020FCF829000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EFC14AE mov eax, dword ptr fs:[00000030h]	4_2_6EFC14AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EFBF416 mov eax, dword ptr fs:[00000030h]	4_2_6EFBF416
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6EFC14AE mov eax, dword ptr fs:[00000030h]	5_2_6EFC14AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6EFBF416 mov eax, dword ptr fs:[00000030h]	5_2_6EFBF416
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001DE10 mov eax, dword ptr fs:[00000030h]	5_2_1001DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001DE10 mov eax, dword ptr fs:[00000030h]	6_2_1001DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001DE10 mov eax, dword ptr fs:[00000030h]	7_2_1001DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_1001DE10 mov eax, dword ptr fs:[00000030h]	9_2_1001DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1001DE10 mov eax, dword ptr fs:[00000030h]	11_2_1001DE10

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EFBCEA2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6EFBCEA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EFBC66F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_6EFBC66F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EFBFF39 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6EFBFF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6EFBCEA2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_6EFBCEA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6EFBC66F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_6EFBC66F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6EFBFF39 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_6EFBFF39

Source: rundll32.exe, 0000000B.00000002.779578622.00000000036A0000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: rundll32.exe, 0000000B.00000002.779578622.00000000036A0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 0000000B.00000002.779578622.00000000036A0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 0000000B.00000002.779578622.00000000036A0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

IP	Domain	Country	ASN	ASN Name	Malicious
207.148.81.119	unknown	United States	20473	AS-CHOOPAUS	true
196.44.98.190	unknown	Ghana	327814	EcobandGH	true
78.46.73.125	unknown	Germany	24940	HETZNER-ASDE	true
37.59.209.141	unknown	France	16276	OVHFR	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
191.252.103.16	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
45.79.33.48	unknown	United States	63949	LINODE-APLinodeLLCUS	true
54.37.228.122	unknown	France	16276	OVHFR	true
185.148.169.10	unknown	Germany	44780	EVERSCALE-ASDE	true
142.4.219.173	unknown	Canada	16276	OVHFR	true
54.38.242.185	unknown	France	16276	OVHFR	true
195.154.146.35	unknown	France	12876	OnlineSASFR	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
168.197.250.14	unknown	Argentina	264776	OmarAnselmoRipollTDCNETAR	true
51.178.61.60	unknown	France	16276	OVHFR	true
177.72.80.14	unknown	Brazil	262543	NewLifeFibraBR	true
66.42.57.149	unknown	United States	20473	AS-CHOOPAUS	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
51.210.242.234	unknown	France	16276	OVHFR	true

ID:	528003
Product:	CloudBasic
Start time:	16:51:05
Start date:	24.11.2021
Sample:	pPX9DaPVYj
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	8b540033f4ffd79e5109e41a06f3e876
SHA1:	86a8b94f1a3102ad3741fabccfe5ea5d9a3bf624
SHA256:	2b3700c2a383b322dadfebfea00d9bc85b05a37793dc366954dd8c882f3006e2
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.40%

Windows Analysis Report pPX9DaPVYj

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted URLs

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.chk	data	BF1DC7D5D8DAD7478F426DF8B3F8BAA6	C6B0BDE788F553F865D65F773D8F6A3546887E42	BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
C:\ProgramData\Microsoft\Network\Downloader\edb.log	MPEG-4 LOAS	FC6863474F2AB1A11EBFC08BBD3E9F43	F4FC946C1C16A5CD15129652980AB2519FB9CC16	1A8B45D05E5FEF9C041CAC5111A09F4B6D00D04B1C5A7C6EB0EFC5EC5A23F68D
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0x11dde58d, page size 16384, Windows version 10.0	F4B2CE76832A1FA56EE42EBD4490028E	6213A588EF51ADFD3C110FC39458E2FB722BDD5A	FDC5AB9BE3FE5EC649924CC8266D858A4595787A2EBC7C72163DFB5C232A0BC5
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	955DE7E6C960583E959E43E11EF76240	6C70D9E00A8C15BA4EBEC313E3CE9CB929C6939D	27ACE1CA277A38D3A2D2C8653F7E758696D884709D30964DB9E590DFCBC18256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 61414 bytes, 1 file	ACAEDA60C79C6BCAC925EEB3653F45E0	2AAAE490BCDACCC6172240FF1697753B37AC5578	6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	A4DF8E0551B740A7C7897A3D021C2A8E	5B1AD598C1746EA1CF91FFE50910C981F39C2C33	20C01CCAF31CB1DC282EEEB50DEB3AC6D5F43FEF097655A274765F17045740DE
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators	DD7478D6F5FE278F580CE5440AC9CA16	987DBC4E1FF9E97EDFED9C3A02F76A67C03558C0	035D2306C5FB3AC82EF31986EA9CDDA3FBFD7876AA121D1B5ECA78C83661DEF1
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20211125_005222_250.etl	data	BE4E74DFFFF3B35181EA6C5AA01FFB3A	D16BBCCA2F4E9202120BE7BFD7457936976DD81D	CB8F08C21DCCF806470F214B2ADFA42A6D12AC2FBE1918989A63D4E65A328B48