Play interactive tour

Edit tour

Windows Analysis Report NjTYb3VyzV

Overview

General Information

Sample Name:	NjTYb3VyzV (renamed file extension from none to dll)
Analysis ID:	528810
MD5:	944f5dec057269043eeb02d551e1593f
SHA1:	c6dc40330793e23a88753d1a5ba18142a0eb33b9
SHA256:	651b117d5a6c37b255cbfa465740b4ea3cea29d41175338c83b1d5b416c29a01
Tags:	32dllexe
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Sigma detected: Emotet RunDLL32 Process Creation

Machine Learning detection for sample

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

PE file contains strange resources

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Connects to several IPs in different countries

Potential key logger detected (key state polling based)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 3012 cmdline: loaddll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 1536 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 4624 cmdline: rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4692 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5116 cmdline: rundll32.exe C:\Users\user\Desktop\NjTYb3VyzV.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6648 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xzrjbnqqcb\ruunnfqf.mlu",ZUcsEM MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 1972 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Xzrjbnqqcb\ruunnfqf.mlu",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

svchost.exe (PID: 5732 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7012 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6080 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5440 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 3180 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"], "C2 list": ["91.200.186.228:443", "41.76.108.46:8080", "188.165.214.166:7080", "191.252.196.221:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.868792580.0000000004CE0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.349560826.0000000004B40000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.349903901.0000000004CF0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.349400359.00000000046F0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.350183619.0000000004ED0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.868395885.0000000004820000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.868126623.0000000004090000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.869093007.00000000050C0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.351790067.0000000004030000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.867289690.0000000000670000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.868949205.0000000004EC0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.350335367.0000000005130000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.868865834.0000000004DC0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.868491768.0000000004980000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.869173450.0000000005140000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.868282805.0000000004620000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.348479056.00000000045F0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.868570789.00000000049E0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.350044975.0000000004E70000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.868675450.0000000004BC0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author
8.2.rundll32.exe.4ce0000.14.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4cf0000.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.5140000.22.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4ed0000.8.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4980000.8.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.46f0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.46f0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4b40000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.4030000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4820000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4dc0000.16.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4cf0000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4980000.8.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4620000.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.4030000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4090000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.49e0000.10.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.45f0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.50c0000.20.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4e70000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4620000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4ec0000.18.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.670000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4bc0000.12.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.670000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.5140000.22.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4bc0000.12.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4820000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.49e0000.10.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4ec0000.18.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.45f0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.50c0000.20.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4090000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4dc0000.16.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4ed0000.8.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.5130000.10.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4ce0000.14.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4b40000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.5130000.10.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4e70000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 35 entries

Sigma Overview

System Summary:

Sigma detected: Emotet RunDLL32 Process Creation

Show sources

Source: Process started

Author: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Xzrjbnqqcb\ruunnfqf.mlu",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Xzrjbnqqcb\ruunnfqf.mlu",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xzrjbnqqcb\ruunnfqf.mlu",ZUcsEM, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 6648, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Xzrjbnqqcb\ruunnfqf.mlu",Control_RunDLL, ProcessId: 1972

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 8.2.rundll32.exe.4980000.8.raw.unpack

Malware Configuration Extractor: Emotet {"Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"], "C2 list": ["91.200.186.228:443", "41.76.108.46:8080", "188.165.214.166:7080", "191.252.196.221:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"]}

Multi AV Scanner detection for submitted file

Show sources

Source: NjTYb3VyzV.dll

Virustotal: Detection: 13%

Perma Link

Machine Learning detection for sample

Show sources

Source: NjTYb3VyzV.dll

Joe Sandbox ML: detected

Source: NjTYb3VyzV.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100062E3 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z,__EH_prolog3,lstrlenA,FtpFindFirstFileA,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10004E7C FindFirstFileA,GetLastError,lstrlenA,SetLastError,__fullpath,__splitpath_s,__makepath_s,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418B2CC FindFirstFileW,

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2404346 ET CNC Feodo Tracker Reported CnC Server TCP group 24 192.168.2.6:49762 -> 91.200.186.228:443
Source: Traffic	Snort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 41.76.108.46:8080 -> 192.168.2.6:49765

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 41.76.108.46 144
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 91.200.186.228 187

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 91.200.186.228:443
Source: Malware configuration extractor	IPs: 41.76.108.46:8080
Source: Malware configuration extractor	IPs: 188.165.214.166:7080
Source: Malware configuration extractor	IPs: 191.252.196.221:8080
Source: Malware configuration extractor	IPs: 103.8.26.103:8080
Source: Malware configuration extractor	IPs: 185.184.25.237:8080
Source: Malware configuration extractor	IPs: 103.8.26.102:8080
Source: Malware configuration extractor	IPs: 178.79.147.66:8080
Source: Malware configuration extractor	IPs: 58.227.42.236:80
Source: Malware configuration extractor	IPs: 45.118.135.203:7080
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 195.154.133.20:443
Source: Malware configuration extractor	IPs: 45.142.114.231:8080
Source: Malware configuration extractor	IPs: 212.237.5.209:443
Source: Malware configuration extractor	IPs: 207.38.84.195:8080
Source: Malware configuration extractor	IPs: 104.251.214.46:8080
Source: Malware configuration extractor	IPs: 212.237.17.99:8080
Source: Malware configuration extractor	IPs: 212.237.56.116:7080
Source: Malware configuration extractor	IPs: 216.158.226.206:443
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 158.69.222.101:443
Source: Malware configuration extractor	IPs: 107.182.225.142:8080
Source: Malware configuration extractor	IPs: 176.104.106.96:8080
Source: Malware configuration extractor	IPs: 81.0.236.90:443
Source: Malware configuration extractor	IPs: 50.116.54.215:443
Source: Malware configuration extractor	IPs: 138.185.72.26:8080
Source: Malware configuration extractor	IPs: 51.68.175.8:8080
Source: Malware configuration extractor	IPs: 210.57.217.132:8080

Source: Joe Sandbox View	ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View	ASN Name: ARUBA-ASNIT ARUBA-ASNIT

Source: Joe Sandbox View	IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View	IP Address: 212.237.17.99 212.237.17.99

Source: global traffic

TCP traffic: 192.168.2.6:49765 -> 41.76.108.46:8080

Source: unknown

Network traffic detected: IP country count 19

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.200.186.228
Source: unknown	TCP traffic detected without corresponding DNS query: 91.200.186.228
Source: unknown	TCP traffic detected without corresponding DNS query: 91.200.186.228
Source: unknown	TCP traffic detected without corresponding DNS query: 91.200.186.228
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46

Source: svchost.exe, 00000011.00000003.466913007.00000125DAD8E000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 00000011.00000003.466913007.00000125DAD8E000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 00000011.00000003.466921694.00000125DAD9F000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.466913007.00000125DAD8E000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z\|\|.\|\|797d024d-8c74-4faa-b6a6-08435801478b\|\|1152921505694213184\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000011.00000003.466921694.00000125DAD9F000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.466913007.00000125DAD8E000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z\|\|.\|\|797d024d-8c74-4faa-b6a6-08435801478b\|\|1152921505694213184\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"

Source: svchost.exe, 00000011.00000002.483653675.00000125DAD00000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.862144227.00000197B5861000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000011.00000002.483357499.00000125DA4EE000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.862144227.00000197B5861000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: 77EC63BDA74BD0D0E0426DC8F80085060.8.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 00000011.00000003.462591154.00000125DAD90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462696616.00000125DAD9A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462672365.00000125DAD7E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462719021.00000125DADD0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462749971.00000125DADD0000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000011.00000003.462591154.00000125DAD90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462696616.00000125DAD9A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462672365.00000125DAD7E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462719021.00000125DADD0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462749971.00000125DADD0000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000011.00000003.462591154.00000125DAD90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462696616.00000125DAD9A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462672365.00000125DAD7E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462719021.00000125DADD0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462749971.00000125DADD0000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000011.00000003.462591154.00000125DAD90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462696616.00000125DAD9A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462672365.00000125DAD7E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462719021.00000125DADD0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462749971.00000125DADD0000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000011.00000003.463658536.00000125DAD7E000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 8_2_041818CA InternetReadFile,

Source: loaddll32.exe, 00000000.00000002.350641355.0000000000FCB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_10009963 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 8.2.rundll32.exe.4ce0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4cf0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5140000.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4ed0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4980000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.46f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.46f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4b40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4820000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4dc0000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4cf0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4980000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4620000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4030000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4090000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.49e0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.45f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.50c0000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4e70000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4620000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4ec0000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4bc0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.670000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5140000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4bc0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4820000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.49e0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4ec0000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.45f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.50c0000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4090000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4dc0000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4ed0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.5130000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4ce0000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.5130000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4e70000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.868792580.0000000004CE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.349560826.0000000004B40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.349903901.0000000004CF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.349400359.00000000046F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.350183619.0000000004ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868395885.0000000004820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868126623.0000000004090000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.869093007.00000000050C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.351790067.0000000004030000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.867289690.0000000000670000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868949205.0000000004EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.350335367.0000000005130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868865834.0000000004DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868491768.0000000004980000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.869173450.0000000005140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868282805.0000000004620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.348479056.00000000045F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868570789.00000000049E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.350044975.0000000004E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868675450.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Source: NjTYb3VyzV.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Xzrjbnqqcb\ruunnfqf.mlu:Zone.Identifier

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Xzrjbnqqcb\

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100141F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000B24B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10023277
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100145C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100227EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1002396F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100149D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10013D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10022D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10014DF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1001AE22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10024F42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04724410
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047374A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04738563
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472E6C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473A049
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04736349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04737C07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473FCD8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04730F1B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472480A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04723894
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047309F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04734A72
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473FABB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472BA95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473F43B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04735406
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472D407
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047424FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047284B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473848F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472F574
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473D530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047265A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473E5A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047275A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04730610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473A614
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473261D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04726693
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04722735
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472F71C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04728784
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472F07C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472606B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472C0E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473B0DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472E09E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04742081
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473708B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473313F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472226A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472825D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473D2E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472E2D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472A34E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047313D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473B3B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047393A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04738389
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473EC2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04727C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04734CF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04735CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473BD6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04724D32
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472ED39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473AD26
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472DD02
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04736DF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473DDD1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04721DB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04725E78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472CE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473CED5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04731F7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473EF6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472CF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472AFF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473E84B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473584C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047338F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472C8D3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04739886
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04725973
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473F93D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472193C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047299D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04738996
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473D99C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04742A78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04727A51
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472FA3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04737AF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472CAD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04726B58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04731BB7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04741B95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04634A72
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04623894
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462226A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462606B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04625E78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04642A78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462F07C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463E84B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463A049
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463584C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04627A51
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462825D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463EC2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462CE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463F43B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462FA3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04637C07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04635406
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462D407
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462480A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04624410
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04627C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04630610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463A614
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463261D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463D2E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462C0E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046338F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04637AF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04634CF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046424FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462E6C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462C8D3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462E2D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463CED5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462CAD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463FCD8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463B0DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04635CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046374A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046284B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463FABB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04642081
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04639886
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463708B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463848F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04626693
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462BA95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462E09E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04638563
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463BD6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463EF6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04625973
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462F574
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04631F7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04636349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462A34E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04626B58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463AD26
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04624D32
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463D530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04622735
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462ED39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462CF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463313F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463F93D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462193C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462DD02
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04630F1B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462F71C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046309F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462AFF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04636DF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463DDD1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046313D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046299D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046265A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046393A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463E5A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046275A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04621DB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04631BB7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463B3B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04628784
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04638389
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04641B95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04638996
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463D99C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04074A72
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04063894
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04077C07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04075406
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406D407
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406480A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407A614
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04064410
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04067C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04070610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407261D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407EC2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406CE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406FA3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407F43B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407584C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407E84B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407A049
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04067A51
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406825D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406226A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406606B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04082A78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406F07C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04065E78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04079886
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407848F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04082081
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407708B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406BA95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04066693
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406E09E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04075CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040774A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040684B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407FABB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406E6C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406E2D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407CED5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406CAD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406C8D3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407B0DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407FCD8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407D2E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406C0E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04077AF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04074CF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040824FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040738F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406DD02
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406F71C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04070F1B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407AD26
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04062735
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04064D32
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407D530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407313F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407F93D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406193C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406ED39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406CF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406A34E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04076349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04066B58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04078563
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407EF6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407BD6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406F574
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04065973
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04071F7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04068784
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04078389
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04078996
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407D99C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04081B95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040665A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040793A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407E5A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040675A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04071BB7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04061DB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407B3B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040713D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040699D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407DDD1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040709F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406AFF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04076DF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04185406
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417CE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418EC2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417825D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04192A78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417BA95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04173894
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04189886
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418FABB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041874A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418FCD8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417CAD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041838F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04180F1B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04172735
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418F93D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04174D32
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418313F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417CF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04176B58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417F574
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418D99C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04178784
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418E5A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041893A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418DDD1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041809F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418261D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04174410
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04177C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04180610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418A614
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417D407
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417480A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04187C07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418F43B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417FA3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04177A51
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418A049
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418E84B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418584C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04184A72
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417F07C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04175E78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417606B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417226A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04176693
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417E09E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418708B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418848F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04192081
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041784B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04185CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417E2D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417C8D3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418B0DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418CED5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417E6C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041924FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04187AF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04184CF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417C0E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418D2E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417F71C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417DD02
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418D530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417193C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417ED39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418AD26
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04186349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417A34E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04181F7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04175973
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418BD6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418EF6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04188563
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04191B95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04188996
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04188389
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418B3B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04171DB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04181BB7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041765A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041775A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041799D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041813D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04186DF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417AFF0

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10013B28 appears 54 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10013978 appears 91 times

Source: NjTYb3VyzV.dll

Binary or memory string: OriginalFilenameFTPTREE.EXEH vs NjTYb3VyzV.dll

Source: NjTYb3VyzV.dll	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: NjTYb3VyzV.dll	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: NjTYb3VyzV.dll	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: NjTYb3VyzV.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: NjTYb3VyzV.dll

Virustotal: Detection: 13%

Source: NjTYb3VyzV.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\NjTYb3VyzV.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xzrjbnqqcb\ruunnfqf.mlu",ZUcsEM
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Xzrjbnqqcb\ruunnfqf.mlu",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\NjTYb3VyzV.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xzrjbnqqcb\ruunnfqf.mlu",ZUcsEM
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Xzrjbnqqcb\ruunnfqf.mlu",Control_RunDLL

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: classification engine

Classification label: mal100.troj.evad.winDLL@18/7@0/29

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_10005E84 FormatMessageA,FormatMessageA,FormatMessageA,LocalFree,InternetGetLastResponseInfoA,InternetGetLastResponseInfoA,GetLastError,LocalAlloc,InternetGetLastResponseInfoA,LocalFree,LocalFree,FreeLibrary,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 8_2_0417D29B CreateToolhelp32Snapshot,

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\NjTYb3VyzV.dll,Control_RunDLL

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_10001000 LoadResource,

Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: NjTYb3VyzV.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: NjTYb3VyzV.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: NjTYb3VyzV.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: NjTYb3VyzV.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: NjTYb3VyzV.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10013A50 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10013B6D push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047210BA push eax; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04721160 push eax; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472124E pushfd ; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462124E pushfd ; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046210BA push eax; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04621160 push eax; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406124E pushfd ; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040610BA push eax; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04061160 push eax; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417124E pushfd ; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041710BA push eax; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04171160 push eax; ret

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_1002127E LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

Source: NjTYb3VyzV.dll

Static PE information: real checksum: 0x6d835 should be: 0x6f415

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Xzrjbnqqcb\ruunnfqf.mlu

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Xzrjbnqqcb\ruunnfqf.mlu:Zone.Identifier read attributes | delete

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000712B IsIconic,GetWindowPlacement,GetWindowRect,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10003578 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,

Source: C:\Windows\SysWOW64\rundll32.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\svchost.exe TID: 1908	Thread sleep time: -150000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4792	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4624	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\loaddll32.exe

Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100062E3 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z,__EH_prolog3,lstrlenA,FtpFindFirstFileA,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10004E7C FindFirstFileA,GetLastError,lstrlenA,SetLastError,__fullpath,__splitpath_s,__makepath_s,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418B2CC FindFirstFileW,

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Source: svchost.exe, 00000011.00000002.483249319.00000125DA4E1000.00000004.00000001.sdmp	Binary or memory string: &@Hyper-V RAW
Source: svchost.exe, 00000015.00000002.862144227.00000197B5861000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000011.00000002.482442900.00000125DA471000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.483338719.00000125DA4EB000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.862133126.00000197B5854000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.861778615.00000197B002A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_100127FF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Windows\SysWOW64\rundll32.exe

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473DDCA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463DDCA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407DDCA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418DDCA mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\System32\loaddll32.exe

Process queried: DebugPort

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1001E36A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100127FF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10017834 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 41.76.108.46 144
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 91.200.186.228 187

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",#1

Source: rundll32.exe, 00000008.00000002.868029953.0000000002BA0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000008.00000002.868029953.0000000002BA0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000008.00000002.868029953.0000000002BA0000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: rundll32.exe, 00000008.00000002.868029953.0000000002BA0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_1001C0B0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_1001D747 __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_10006F89 _memset,GetVersionExA,

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 8.2.rundll32.exe.4ce0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4cf0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5140000.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4ed0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4980000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.46f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.46f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4b40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4820000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4dc0000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4cf0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4980000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4620000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4030000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4090000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.49e0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.45f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.50c0000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4e70000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4620000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4ec0000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4bc0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.670000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5140000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4bc0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4820000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.49e0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4ec0000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.45f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.50c0000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4090000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4dc0000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4ed0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.5130000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4ce0000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.5130000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4e70000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.868792580.0000000004CE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.349560826.0000000004B40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.349903901.0000000004CF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.349400359.00000000046F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.350183619.0000000004ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868395885.0000000004820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868126623.0000000004090000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.869093007.00000000050C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.351790067.0000000004030000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.867289690.0000000000670000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868949205.0000000004EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.350335367.0000000005130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868865834.0000000004DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868491768.0000000004980000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.869173450.0000000005140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868282805.0000000004620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.348479056.00000000045F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868570789.00000000049E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.350044975.0000000004E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868675450.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection112	Masquerading2	Input Capture2	System Time Discovery2	Remote Services	Input Capture2	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion3	LSASS Memory	Query Registry1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection112	Security Account Manager	Security Software Discovery31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Virtualization/Sandbox Evasion3	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Process Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Rundll321	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	File Deletion1	Proc Filesystem	File and Directory Discovery2	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Information Discovery35	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
NjTYb3VyzV.dll	14%	Virustotal		Browse
NjTYb3VyzV.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
8.2.rundll32.exe.50f0000.21.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
3.2.rundll32.exe.4620000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
2.2.rundll32.exe.4720000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
2.2.rundll32.exe.4d20000.5.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
2.2.rundll32.exe.4c40000.3.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.4850000.7.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.4bf0000.13.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.3fb0000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.49b0000.9.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
6.2.rundll32.exe.4060000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.4650000.5.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
2.2.rundll32.exe.5000000.9.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.4df0000.17.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.5170000.23.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
2.2.rundll32.exe.5160000.11.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.4b10000.11.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.4d10000.15.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.4170000.3.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
2.2.rundll32.exe.4ea0000.7.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.4ef0000.19.unpack	100%	Avira	HEUR/AGEN.1110387	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
http://help.disneyplus.com.	0%	URL Reputation	safe
https://disneyplus.com/legal.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 00000011.00000003.462591154.00000125DAD90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462696616.00000125DAD9A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462672365.00000125DAD7E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462719021.00000125DADD0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462749971.00000125DADD0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://crl.ver)	svchost.exe, 00000011.00000002.483357499.00000125DA4EE000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.862144227.00000197B5861000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 00000011.00000003.462591154.00000125DAD90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462696616.00000125DAD9A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462672365.00000125DAD7E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462719021.00000125DADD0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462749971.00000125DADD0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.tiktok.com/legal/report/feedback	svchost.exe, 00000011.00000003.463658536.00000125DAD7E000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://help.disneyplus.com.	svchost.exe, 00000011.00000003.462591154.00000125DAD90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462696616.00000125DAD9A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462672365.00000125DAD7E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462719021.00000125DADD0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462749971.00000125DADD0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://disneyplus.com/legal.	svchost.exe, 00000011.00000003.462591154.00000125DAD90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462696616.00000125DAD9A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462672365.00000125DAD7E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462719021.00000125DADD0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462749971.00000125DADD0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
195.154.133.20	unknown	France	12876	OnlineSASFR	true
212.237.17.99	unknown	Italy	31034	ARUBA-ASNIT	true
110.232.117.186	unknown	Australia	56038	RACKCORP-APRackCorpAU	true
138.185.72.26	unknown	Brazil	264343	EmpasoftLtdaMeBR	true
81.0.236.90	unknown	Czech Republic	15685	CASABLANCA-ASInternetCollocationProviderCZ	true
103.75.201.2	unknown	Thailand	133496	CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH	true
216.158.226.206	unknown	United States	19318	IS-AS-1US	true
188.165.214.166	unknown	France	16276	OVHFR	true
107.182.225.142	unknown	United States	32780	HOSTINGSERVICES-INCUS	true
45.118.135.203	unknown	Japan	63949	LINODE-APLinodeLLCUS	true
50.116.54.215	unknown	United States	63949	LINODE-APLinodeLLCUS	true
51.68.175.8	unknown	France	16276	OVHFR	true
103.8.26.102	unknown	Malaysia	132241	SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY	true
41.76.108.46	unknown	South Africa	327979	DIAMATRIXZA	true
91.200.186.228	unknown	Poland	43962	INTENPL	true
103.8.26.103	unknown	Malaysia	132241	SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY	true
178.79.147.66	unknown	United Kingdom	63949	LINODE-APLinodeLLCUS	true
212.237.5.209	unknown	Italy	31034	ARUBA-ASNIT	true
176.104.106.96	unknown	Serbia	198371	NINETRS	true
207.38.84.195	unknown	United States	30083	AS-30083-GO-DADDY-COM-LLCUS	true
212.237.56.116	unknown	Italy	31034	ARUBA-ASNIT	true
191.252.196.221	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
45.142.114.231	unknown	Germany	44066	DE-FIRSTCOLOwwwfirst-colonetDE	true
210.57.217.132	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
58.227.42.236	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
185.184.25.237	unknown	Turkey	209711	MUVHOSTTR	true
158.69.222.101	unknown	Canada	16276	OVHFR	true
104.251.214.46	unknown	United States	54540	INCERO-HVVCUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	528810
Start date:	25.11.2021
Start time:	20:10:37
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 28s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	NjTYb3VyzV (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@18/7@0/29
EGA Information:	Failed
HDC Information:	Successful, ratio: 28.1% (good quality ratio 27.2%) Quality average: 77.7% Quality standard deviation: 24.2%
HCA Information:	Successful, ratio: 81% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220, 173.222.108.226, 173.222.108.210, 20.54.110.249, 23.35.236.56 Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:12:31	API Interceptor	10x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
195.154.133.20	qsd96wjZE5.dll	Get hash	malicious	Browse
	fbVJyEuYg3.dll	Get hash	malicious	Browse
	fbVJyEuYg3.dll	Get hash	malicious	Browse
	e7wz42SkwL.dll	Get hash	malicious	Browse
	BsOnCFhDmv.dll	Get hash	malicious	Browse
	1T596wnM2gZJnEgp.dll	Get hash	malicious	Browse
	1107699960.dll	Get hash	malicious	Browse
	1T596wnM2gZJnEgp.dll	Get hash	malicious	Browse
	1107699960.dll	Get hash	malicious	Browse
	9lJhBw9aSM.dll	Get hash	malicious	Browse
	mLF68FXslK.dll	Get hash	malicious	Browse
	gvWvBni9HcU6I.dll	Get hash	malicious	Browse
	gvWvBni9HcU6I.dll	Get hash	malicious	Browse
	pr2Bw1e98p.dll	Get hash	malicious	Browse
	pr2Bw1e98p.dll	Get hash	malicious	Browse
	982tSWUdff.dll	Get hash	malicious	Browse
	ji2TXozBAl.dll	Get hash	malicious	Browse
	N6CyMVFTbm.dll	Get hash	malicious	Browse
	ji2TXozBAl.dll	Get hash	malicious	Browse
	index.dll	Get hash	malicious	Browse
212.237.17.99	qsd96wjZE5.dll	Get hash	malicious	Browse
	fbVJyEuYg3.dll	Get hash	malicious	Browse
	fbVJyEuYg3.dll	Get hash	malicious	Browse
	e7wz42SkwL.dll	Get hash	malicious	Browse
	BsOnCFhDmv.dll	Get hash	malicious	Browse
	1T596wnM2gZJnEgp.dll	Get hash	malicious	Browse
	1107699960.dll	Get hash	malicious	Browse
	1T596wnM2gZJnEgp.dll	Get hash	malicious	Browse
	1107699960.dll	Get hash	malicious	Browse
	9lJhBw9aSM.dll	Get hash	malicious	Browse
	gvWvBni9HcU6I.dll	Get hash	malicious	Browse
	gvWvBni9HcU6I.dll	Get hash	malicious	Browse
	pr2Bw1e98p.dll	Get hash	malicious	Browse
	pr2Bw1e98p.dll	Get hash	malicious	Browse
	982tSWUdff.dll	Get hash	malicious	Browse
	ji2TXozBAl.dll	Get hash	malicious	Browse
	N6CyMVFTbm.dll	Get hash	malicious	Browse
	ji2TXozBAl.dll	Get hash	malicious	Browse
	a5uyawQx9G.dll	Get hash	malicious	Browse
	bymJNhzejq.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ARUBA-ASNIT	order.exe	Get hash	malicious	Browse	62.149.128.40
	3XVTeL2yOE	Get hash	malicious	Browse	95.110.143.3
	UnHAnaAW.arm7	Get hash	malicious	Browse	217.73.230.164
	UnHAnaAW.x86	Get hash	malicious	Browse	94.177.219.211
	qsd96wjZE5.dll	Get hash	malicious	Browse	212.237.56.116
	fbVJyEuYg3.dll	Get hash	malicious	Browse	212.237.56.116
	fbVJyEuYg3.dll	Get hash	malicious	Browse	212.237.56.116
	e7wz42SkwL.dll	Get hash	malicious	Browse	212.237.56.116
	uranium.arm7	Get hash	malicious	Browse	217.73.230.174
	BsOnCFhDmv.dll	Get hash	malicious	Browse	212.237.56.116
	1T596wnM2gZJnEgp.dll	Get hash	malicious	Browse	212.237.56.116
	1107699960.dll	Get hash	malicious	Browse	212.237.56.116
	1T596wnM2gZJnEgp.dll	Get hash	malicious	Browse	212.237.56.116
	1107699960.dll	Get hash	malicious	Browse	212.237.56.116
	9lJhBw9aSM.dll	Get hash	malicious	Browse	212.237.56.116
	mLF68FXslK.dll	Get hash	malicious	Browse	212.237.5.209
	gvWvBni9HcU6I.dll	Get hash	malicious	Browse	212.237.56.116
	gvWvBni9HcU6I.dll	Get hash	malicious	Browse	212.237.56.116
	pr2Bw1e98p.dll	Get hash	malicious	Browse	212.237.56.116
	pr2Bw1e98p.dll	Get hash	malicious	Browse	212.237.56.116
OnlineSASFR	sample2.xls.xls	Get hash	malicious	Browse	51.15.56.22
	sample2.xls.xls	Get hash	malicious	Browse	51.15.56.22
	EzCOXP6oxy.dll	Get hash	malicious	Browse	195.154.146.35
	IkroV40UrZ.dll	Get hash	malicious	Browse	195.154.146.35
	C1Q17Dg4RT.dll	Get hash	malicious	Browse	195.154.146.35
	MakbLShaqA.dll	Get hash	malicious	Browse	195.154.146.35
	MakbLShaqA.dll	Get hash	malicious	Browse	195.154.146.35
	tUJXpPwU27.dll	Get hash	malicious	Browse	195.154.146.35
	pYebrdRKvR.dll	Get hash	malicious	Browse	195.154.146.35
	pPX9DaPVYj.dll	Get hash	malicious	Browse	195.154.146.35
	wUKXjICs5f.dll	Get hash	malicious	Browse	195.154.146.35
	cRC6TZG6Wx.dll	Get hash	malicious	Browse	195.154.146.35
	qrb6jVwzoe.dll	Get hash	malicious	Browse	195.154.146.35
	1711.doc	Get hash	malicious	Browse	195.154.146.35
	j9ZfvcmyKN	Get hash	malicious	Browse	51.158.220.39
	GQwxmGZFvtg.dll	Get hash	malicious	Browse	195.154.146.35
	wNjqkrm8pH.dll	Get hash	malicious	Browse	195.154.146.35
	5YO8hZg21O.dll	Get hash	malicious	Browse	195.154.146.35
	dUGnMYeP1C.dll	Get hash	malicious	Browse	195.154.146.35
	yFAXc9z51V.dll	Get hash	malicious	Browse	195.154.146.35

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.3593198815979092
Encrypted:	false
SSDEEP:	12:SnaaD0JcaaD0JwQQU2naaD0JcaaD0JwQQU:4tgJctgJw/tgJctgJw
MD5:	BF1DC7D5D8DAD7478F426DF8B3F8BAA6
SHA1:	C6B0BDE788F553F865D65F773D8F6A3546887E42
SHA-256:	BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
SHA-512:	00F2412AA04E09EA19A8315D80BE66D2727C713FC0F5AE6A9334BABA539817F568A98CA3A45B2673282BDD325B8B0E2840A393A4DCFADCB16473F5EAF2AF3180
Malicious:	false
Preview:	.......................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	MPEG-4 LOAS
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.24944627613022463
Encrypted:	false
SSDEEP:	1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4V:BJiRdwfu2SRU4V
MD5:	E4C7BF4E87E772A012FADB8F520F4855
SHA1:	4C5A57DFC869E2544F3CA335E7B8BD0820286DF3
SHA-256:	D8EE25BEBC2FC35BA10B1810FBB6BA549C9C7489E004C0E5E0B0948E2C403D53
SHA-512:	CAF6AA014758B6632C5F106F48E8ACDADF28BB64533CFF65CA5BE32F44D712935AD4E86444005D82B5553FBDA784F0B8762F05972F1013E9A63B0F28DDC19E9E
Malicious:	false
Preview:	V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0x391a54b5, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	786432
Entropy (8bit):	0.2506186934871907
Encrypted:	false
SSDEEP:	384:LHw+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:LHvSB2nSB2RSjlK/+mLesOj1J2
MD5:	49831ECF881C12C2A0CBBBAF37757579
SHA1:	B38176FB9D44357202AE76E07D477B2D1A826406
SHA-256:	66E3B47AFA9A97C62751E7D138DEE5C805E656B141B5505D75F656DA1B3622FB
SHA-512:	763E13BEEEEE7779F3A33B964970746357EDEE69F78C1F8EECAC871966F5F5861E2213471934DC8EE9822F228B1A6D462AB00F3EA71AAE6068B57B013D6B686C
Malicious:	false
Preview:	9.T.... ................e.f.3...w........................)..........y7.8....y..h.(..........y7...)..............3...w...........................................................................................................B...........@...................................................................................................... ...................................................................................................................................................................................................................................................w..x.....y7.................x=.......y7.........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07671611637138794
Encrypted:	false
SSDEEP:	3:H0llJ7vdP/TATU/l+cSro+nT7vr/Q/lAll3Vkttlmlnl:8lJr1/kQ/l+vrjvvr/Q/lA3
MD5:	5001E5FBA68E0B3BA9412FFF613B0E2A
SHA1:	82B5D59196DEF5755766A08532BBA0C5C579EB82
SHA-256:	936D0AF59C202C5FEE04072440B354BE35F981344EDB86A62551996F86818173
SHA-512:	BBD61B390158A07484263FE90DC44BD3A693C4103741816DAA4C7DF8C2347F8F2F62E1B5C655F00B020E50BDAD6E7F6585F7F9F8E772F22578FEA5DDE2DF5E35
Malicious:	false
Preview:	........................................3...w..8....y.......y7..............y7......y7.M/.......y.w................x=.......y7.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	Microsoft Cabinet archive data, 61414 bytes, 1 file
Category:	dropped
Size (bytes):	61414
Entropy (8bit):	7.995245868798237
Encrypted:	true
SSDEEP:	1536:EysgU6qmzixT64jYMZ8HbVPGfVDwm/xLZ9rP:wF6qmeo4eH1m9wmLvrP
MD5:	ACAEDA60C79C6BCAC925EEB3653F45E0
SHA1:	2AAAE490BCDACCC6172240FF1697753B37AC5578
SHA-256:	6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
SHA-512:	FEAA6E7ED7DDA1583739B3E531AB5C562A222EE6ECD042690AE7DCFF966717C6E968469A7797265A11F6E899479AE0F3031E8CF5BEBE1492D5205E9C59690900
Malicious:	false
Preview:	MSCF............,...................I.......;w........RSNj .authroot.stl..>.(.5..CK..8T....c_.d...A.K...+.d.H..i.RJJ.IQIR..$t)Kd.-[..T\{..ne......<.w......A..B........c...wi......D....c.0D,L........fy....Rg...=........i,3.3..Z....~^ve<...TF....f.zy.,...m.@.0.0...m.3..I(..+..v#...(.2....e...L..y..V.......~U...."<ke.....l.X:Dt..R<7.5\A7L0=..T.V...IDr..8<....r&...I-.^..b.b.".Af....E.._..r.>.`;,.Hob..S.....7'..\.R$.".g..+..64..@nP.....k3...B.`.G..@D.....L.....`^...#OpW.....!....`.....rf:.}.R.@....gR.#7....l..H.#...d.Qh..3..fCX....==#..M.l..~&....[.J9.\..Ww.....Tx.%....]..a4E...q.+...#.a..x..O..V.t..Y1!.T..`U...-...< _@...\|(.....0..3.`.LU...E0.Gu.4KN....5...?.....I.p..'..........N<.d.O..dH@c1t...[w/...T....cYK.X>.0..Z.....O>..9.3.#9X.%.b...5.YK.E.V.....`./.3.._..nN]..=..M.o.F.._..z....._...gY..!Z..?l....vp.l.:.d.Z..W.....~...N.._.k...&.....$......i.F.d.....D!e.....Y..,.E..m.;.1... $.F..O.F.o_}.uG....,.%.>,.Zx.......o....c../.;....g&.....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.118359240275542
Encrypted:	false
SSDEEP:	6:kKEbk8SN+SkQlPlEGYRMY9z+4KlDA3RUeYlUmlUR/t:e9kPlE99SNxAhUeYlUSA/t
MD5:	948FEC524891E8542BDCD79348C57004
SHA1:	F8A6A4A87BB771D894637D8E170B42F8F701207D
SHA-256:	03DEE917D4DF098D8A8293E657707C61A2BE0F8BB72E2F47F8A16DE7EE525FEE
SHA-512:	F57CACBBAB26285FD9F6FE87521D33BD61C60A2DA315E4B9B9FC9400AE73C291E4764391071658324CF3CFB55F86CE9A95C43290BC68A8C1F48CDBDC84AF2220
Malicious:	false
Preview:	p...... ...........{...(....................................................... ........q.\].......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.7.1.e.1.5.c.5.d.c.4.d.7.1.:.0."...

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.0681109275193075
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 95.51% InstallShield setup (43055/19) 4.10% Generic Win/DOS Executable (2004/3) 0.19% DOS Executable Generic (2002/1) 0.19% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	NjTYb3VyzV.dll
File size:	397312
MD5:	944f5dec057269043eeb02d551e1593f
SHA1:	c6dc40330793e23a88753d1a5ba18142a0eb33b9
SHA256:	651b117d5a6c37b255cbfa465740b4ea3cea29d41175338c83b1d5b416c29a01
SHA512:	62e2ddd5ba261b56f2149d06a522d28ed2cc81ef9799ce4e731b2bc2b502abed131752619334e3fdf1a383755b41a8f3a0413699c8babe38a41f79951c567f85
SSDEEP:	6144:SwgKH5nGQwn6I6EstfaY0bOjWNUs0G1G9zEoVuIdmF3AxeR9s58SYC:FlFQstfaYAuhPJVTdmF3Axqs58fC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........\..a...a...a..w....a..w....a...`...a.......a.....f.a.....u.a.......a.......a.......a.......a.Rich..a.........PE..L...n..a...

File Icon


Icon Hash:	5f35298f8ec6c60a

Static PE Info

General
Entrypoint:	0x100134e1
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:
Time Stamp:	0x619FB96E [Thu Nov 25 16:27:26 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	98314c63889d16d0b03b55430157c680

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FBC30A5B927h
call 00007FBC30A644E4h
push dword ptr [ebp+08h]
mov ecx, dword ptr [ebp+10h]
mov edx, dword ptr [ebp+0Ch]
call 00007FBC30A5B811h
pop ecx
pop ebp
retn 000Ch
push 0000000Ch
push 1002E358h
call 00007FBC30A5BF3Dh
mov esi, dword ptr [ebp+08h]
test esi, esi
je 00007FBC30A5B997h
cmp dword ptr [1005A4A0h], 03h
jne 00007FBC30A5B965h
push 00000004h
call 00007FBC30A62CEFh
pop ecx
and dword ptr [ebp-04h], 00000000h
push esi
call 00007FBC30A62D17h
pop ecx
mov dword ptr [ebp-1Ch], eax
test eax, eax
je 00007FBC30A5B92Bh
push esi
push eax
call 00007FBC30A62D38h
pop ecx
pop ecx
mov dword ptr [ebp-04h], FFFFFFFEh
call 00007FBC30A5B930h
cmp dword ptr [ebp-1Ch], 00000000h
jne 00007FBC30A5B959h
push dword ptr [ebp+08h]
jmp 00007FBC30A5B92Ch
push 00000004h
call 00007FBC30A62BDBh
pop ecx
ret
push esi
push 00000000h
push dword ptr [10058CC4h]
call dword ptr [10027094h]
test eax, eax
jne 00007FBC30A5B938h
call 00007FBC30A5E568h
mov esi, eax
call dword ptr [10027238h]
push eax
call 00007FBC30A5E518h
mov dword ptr [esi], eax
pop ecx
call 00007FBC30A5BF01h
ret
mov edi, edi
push ebp
mov ebp, esp
push ecx
push ebx
mov eax, dword ptr [ebp+0Ch]
add eax, 0Ch
mov dword ptr [ebp-04h], eax
mov ebx, dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[LNK] VS2008 build 21022
[ C ] VS2005 build 50727
[ASM] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[EXP] VS2008 build 21022
[C++] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x30510	0x4d	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2ed38	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5b000	0x4a64	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x60000	0x2b80	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2ba08	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x27000	0x45c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x2ecb0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x254c7	0x25600	False	0.566602215719	data	6.62724447142	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x27000	0x955d	0x9600	False	0.338177083333	data	5.1473203532	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x31000	0x294d4	0x25a00	False	0.963740656146	data	7.93678251431	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x5b000	0x4a64	0x4c00	False	0.265676398026	data	3.91792897845	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x60000	0x795e	0x7a00	False	0.252337346311	data	3.19645976527	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x5bc40	0x134	data	English	United States
RT_CURSOR	0x5bd74	0xb4	data	English	United States
RT_CURSOR	0x5be28	0x134	AmigaOS bitmap font	English	United States
RT_CURSOR	0x5bf5c	0x134	data	English	United States
RT_CURSOR	0x5c090	0x134	data	English	United States
RT_CURSOR	0x5c1c4	0x134	data	English	United States
RT_CURSOR	0x5c2f8	0x134	data	English	United States
RT_CURSOR	0x5c42c	0x134	data	English	United States
RT_CURSOR	0x5c560	0x134	data	English	United States
RT_CURSOR	0x5c694	0x134	data	English	United States
RT_CURSOR	0x5c7c8	0x134	data	English	United States
RT_CURSOR	0x5c8fc	0x134	data	English	United States
RT_CURSOR	0x5ca30	0x134	AmigaOS bitmap font	English	United States
RT_CURSOR	0x5cb64	0x134	data	English	United States
RT_CURSOR	0x5cc98	0x134	data	English	United States
RT_CURSOR	0x5cdcc	0x134	data	English	United States
RT_BITMAP	0x5cf00	0xe0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x5cfe0	0xe0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x5d0c0	0xe0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x5d1a0	0xb8	data	English	United States
RT_BITMAP	0x5d258	0x144	data	English	United States
RT_ICON	0x5d39c	0x2e8	data	English	United States
RT_ICON	0x5d684	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x5d7ac	0x1d2	data	English	United States
RT_DIALOG	0x5d980	0x14e	data	English	United States
RT_DIALOG	0x5dad0	0xe8	data	English	United States
RT_DIALOG	0x5dbb8	0x34	data	English	United States
RT_STRING	0x5dbec	0x2e2	data	English	United States
RT_STRING	0x5ded0	0x82	data	English	United States
RT_STRING	0x5df54	0x2a	data	English	United States
RT_STRING	0x5df80	0x184	data	English	United States
RT_STRING	0x5e104	0x4e6	data	English	United States
RT_STRING	0x5e5ec	0x264	data	English	United States
RT_STRING	0x5e850	0x2da	data	English	United States
RT_STRING	0x5eb2c	0x8a	data	English	United States
RT_STRING	0x5ebb8	0xac	data	English	United States
RT_STRING	0x5ec64	0xde	data	English	United States
RT_STRING	0x5ed44	0x4a8	data	English	United States
RT_STRING	0x5f1ec	0x228	data	English	United States
RT_STRING	0x5f414	0x2c	data	English	United States
RT_STRING	0x5f440	0x42	data	English	United States
RT_GROUP_CURSOR	0x5f484	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States
RT_GROUP_CURSOR	0x5f4a8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5f4bc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5f4d0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5f4e4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5f4f8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5f50c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5f520	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5f534	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5f548	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5f55c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5f570	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5f584	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5f598	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5f5ac	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_ICON	0x5f5c0	0x22	data	English	United States
RT_VERSION	0x5f5e4	0x2e4	data	English	United States
RT_MANIFEST	0x5f8c8	0x15a	ASCII text, with CRLF line terminators	English	United States
None	0x5fa24	0x3d	data	English	United States

Imports

DLL	Import
KERNEL32.dll	HeapAlloc, GetCommandLineA, HeapFree, RtlUnwind, HeapReAlloc, RaiseException, VirtualAlloc, Sleep, HeapSize, SetStdHandle, GetFileType, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetACP, IsValidCodePage, VirtualFree, HeapCreate, HeapDestroy, GetStdHandle, SetHandleCount, GetStartupInfoA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, GetTimeZoneInformation, GetDriveTypeA, InitializeCriticalSectionAndSpinCount, GetConsoleCP, GetConsoleMode, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CompareStringW, SetEnvironmentVariableA, GetCurrentDirectoryA, WritePrivateProfileStringA, GetOEMCP, GetCPInfo, InterlockedIncrement, GetModuleHandleW, GetFullPathNameA, GetCurrentProcess, FlushFileBuffers, SetFilePointer, WriteFile, CreateFileA, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, GlobalHandle, GlobalReAlloc, TlsGetValue, GlobalFlags, WaitForSingleObject, CloseHandle, GetCurrentThread, ConvertDefaultLocale, EnumResourceLanguagesA, GetLocaleInfoA, InterlockedExchange, lstrcmpA, FreeResource, GetCurrentThreadId, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, CompareStringA, lstrcmpW, GetVersionExA, GlobalFree, GlobalAlloc, GlobalLock, GlobalUnlock, MulDiv, InterlockedDecrement, FormatMessageA, LocalFree, LocalAlloc, FreeLibrary, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, GetCurrentProcessId, GetModuleFileNameA, MultiByteToWideChar, FindFirstFileA, FileTimeToLocalFileTime, FileTimeToSystemTime, FindNextFileA, FindClose, lstrlenA, GetModuleHandleA, LoadLibraryA, GetProcAddress, SetLastError, GetLastError, ExitProcess, LockResource, SizeofResource, WideCharToMultiByte, LoadResource, FreeEnvironmentStringsA, FindResourceA
USER32.dll	LoadCursorA, GetSysColorBrush, GetMessageA, TranslateMessage, GetCursorPos, ValidateRect, SetCursor, PostQuitMessage, DestroyMenu, GetActiveWindow, CreateDialogIndirectParamA, GetNextDlgTabItem, EndDialog, EndPaint, BeginPaint, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, ShowWindow, MoveWindow, SetWindowTextA, IsDialogMessageA, RegisterWindowMessageA, SendDlgItemMessageA, WinHelpA, GetCapture, SetWindowsHookExA, GetClassLongA, GetClassNameA, SetPropA, GetPropA, RemovePropA, SetFocus, GetWindowTextLengthA, GetWindowTextA, GetForegroundWindow, SetActiveWindow, DispatchMessageA, GetTopWindow, DestroyWindow, GetMessageTime, GetMessagePos, PeekMessageA, MapWindowPoints, GetKeyState, SetMenu, SetForegroundWindow, IsWindowVisible, UpdateWindow, PostMessageA, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, GetSysColor, AdjustWindowRectEx, ScreenToClient, PtInRect, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, GetMenu, SetWindowLongA, SetWindowPos, SystemParametersInfoA, GetWindowPlacement, GetWindow, GetMenuItemID, CallNextHookEx, GetMenuItemCount, GetSubMenu, UnhookWindowsHookEx, GetDesktopWindow, GetWindowThreadProcessId, GetWindowLongA, GetLastActivePopup, IsWindowEnabled, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, GetFocus, GetParent, ModifyMenuA, GetMenuState, EnableMenuItem, CheckMenuItem, ReleaseDC, GetDC, CopyRect, IsWindow, GetSystemMenu, GetWindowRect, IsIconic, LoadBitmapA, LoadIconA, DrawIcon, GetClientRect, MessageBoxA, AppendMenuA, GetSystemMetrics, SendMessageA, EnableWindow, GetDlgItem
GDI32.dll	DeleteDC, GetStockObject, SetWindowExtEx, ScaleWindowExtEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, Escape, ExtTextOutA, TextOutA, RectVisible, DeleteObject, SetMapMode, RestoreDC, SaveDC, GetObjectA, SetBkColor, SetTextColor, GetClipBox, GetDeviceCaps, CreateBitmap, PtVisible
WINSPOOL.DRV	DocumentPropertiesA, OpenPrinterA, ClosePrinter
ADVAPI32.dll	RegSetValueExA, RegCreateKeyExA, RegQueryValueA, RegOpenKeyA, RegEnumKeyA, RegDeleteKeyA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey
SHLWAPI.dll	UrlUnescapeA, PathFindExtensionA
OLEAUT32.dll	VariantClear, VariantChangeType, VariantInit
WININET.dll	InternetConnectA, FtpFindFirstFileA, InternetSetStatusCallback, InternetOpenA, InternetGetLastResponseInfoA, InternetCloseHandle, InternetFindNextFileA, InternetCrackUrlA, InternetCanonicalizeUrlA, FtpSetCurrentDirectoryA, FtpGetCurrentDirectoryA

Exports

Name	Ordinal	Address
Control_RunDLL	1	0x1000325e

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserved.
InternalName	FTPTREE
FileVersion	1, 0, 0, 1
ProductName	FTPTREE Application
ProductVersion	1, 0, 0, 1
FileDescription	FTPTREE MFC Application
OriginalFilename	FTPTREE.EXE
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/25/21-20:11:47.796639	TCP	2404346	ET CNC Feodo Tracker Reported CnC Server TCP group 24	49762	443	192.168.2.6	91.200.186.228
11/25/21-20:12:20.540766	TCP	2021013	ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)	8080	49765	41.76.108.46	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2021 20:11:47.796638966 CET	49762	443	192.168.2.6	91.200.186.228
Nov 25, 2021 20:11:47.796709061 CET	443	49762	91.200.186.228	192.168.2.6
Nov 25, 2021 20:11:47.796791077 CET	49762	443	192.168.2.6	91.200.186.228
Nov 25, 2021 20:11:47.815093040 CET	49762	443	192.168.2.6	91.200.186.228
Nov 25, 2021 20:11:47.815118074 CET	443	49762	91.200.186.228	192.168.2.6
Nov 25, 2021 20:12:20.084088087 CET	49762	443	192.168.2.6	91.200.186.228
Nov 25, 2021 20:12:20.127723932 CET	49765	8080	192.168.2.6	41.76.108.46
Nov 25, 2021 20:12:20.327598095 CET	8080	49765	41.76.108.46	192.168.2.6
Nov 25, 2021 20:12:20.327780962 CET	49765	8080	192.168.2.6	41.76.108.46
Nov 25, 2021 20:12:20.328546047 CET	49765	8080	192.168.2.6	41.76.108.46
Nov 25, 2021 20:12:20.537070990 CET	8080	49765	41.76.108.46	192.168.2.6
Nov 25, 2021 20:12:20.540766001 CET	8080	49765	41.76.108.46	192.168.2.6
Nov 25, 2021 20:12:20.540791988 CET	8080	49765	41.76.108.46	192.168.2.6
Nov 25, 2021 20:12:20.540869951 CET	49765	8080	192.168.2.6	41.76.108.46
Nov 25, 2021 20:12:20.540930033 CET	49765	8080	192.168.2.6	41.76.108.46
Nov 25, 2021 20:12:22.454547882 CET	49765	8080	192.168.2.6	41.76.108.46
Nov 25, 2021 20:12:22.655797958 CET	8080	49765	41.76.108.46	192.168.2.6
Nov 25, 2021 20:12:22.655930042 CET	49765	8080	192.168.2.6	41.76.108.46
Nov 25, 2021 20:12:22.660901070 CET	49765	8080	192.168.2.6	41.76.108.46
Nov 25, 2021 20:12:22.901134968 CET	8080	49765	41.76.108.46	192.168.2.6
Nov 25, 2021 20:12:24.015575886 CET	8080	49765	41.76.108.46	192.168.2.6
Nov 25, 2021 20:12:24.015729904 CET	49765	8080	192.168.2.6	41.76.108.46
Nov 25, 2021 20:12:27.015990019 CET	8080	49765	41.76.108.46	192.168.2.6
Nov 25, 2021 20:12:27.016007900 CET	8080	49765	41.76.108.46	192.168.2.6
Nov 25, 2021 20:12:27.016063929 CET	49765	8080	192.168.2.6	41.76.108.46
Nov 25, 2021 20:12:27.016103983 CET	49765	8080	192.168.2.6	41.76.108.46
Nov 25, 2021 20:13:37.729064941 CET	49765	8080	192.168.2.6	41.76.108.46
Nov 25, 2021 20:13:37.729108095 CET	49765	8080	192.168.2.6	41.76.108.46

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 3012 Parent PID: 6064

General

Start time:	20:11:35
Start date:	25/11/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll"
Imagebase:	0x8d0000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 1536 Parent PID: 3012

General

Start time:	20:11:35
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",#1
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 5116 Parent PID: 3012

General

Start time:	20:11:36
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\NjTYb3VyzV.dll,Control_RunDLL
Imagebase:	0x980000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.349560826.0000000004B40000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.349903901.0000000004CF0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.349400359.00000000046F0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.350183619.0000000004ED0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.350335367.0000000005130000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.350044975.0000000004E70000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 4624 Parent PID: 1536

General

Start time:	20:11:36
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",#1
Imagebase:	0x980000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.348479056.00000000045F0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 4692 Parent PID: 4624

General

Start time:	20:11:37
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",Control_RunDLL
Imagebase:	0x980000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6648 Parent PID: 5116

General

Start time:	20:11:37
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xzrjbnqqcb\ruunnfqf.mlu",ZUcsEM
Imagebase:	0x980000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.351790067.0000000004030000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 1972 Parent PID: 6648

General

Start time:	20:11:38
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Xzrjbnqqcb\ruunnfqf.mlu",Control_RunDLL
Imagebase:	0x980000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.868792580.0000000004CE0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.868395885.0000000004820000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.868126623.0000000004090000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.869093007.00000000050C0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.867289690.0000000000670000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.868949205.0000000004EC0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.868865834.0000000004DC0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.868491768.0000000004980000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.869173450.0000000005140000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.868282805.0000000004620000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.868570789.00000000049E0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.868675450.0000000004BC0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: svchost.exe PID: 5732 Parent PID: 560

General

Start time:	20:11:45
Start date:	25/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 7012 Parent PID: 560

General

Start time:	20:12:02
Start date:	25/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 6080 Parent PID: 560

General

Start time:	20:12:17
Start date:	25/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 5440 Parent PID: 560

General

Start time:	20:12:30
Start date:	25/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 3180 Parent PID: 560

General

Start time:	20:12:56
Start date:	25/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report NjTYb3VyzV

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre