Play interactive tour

Edit tour

Windows Analysis Report snBYiBAMB2

Overview

General Information

Sample Name:	snBYiBAMB2 (renamed file extension from none to dll)
Analysis ID:	532249
MD5:	4bd80b1d18138b1808925ddb69991001
SHA1:	2a78af27a95639c1095e4f8a411a8efb9c861abc
SHA256:	32f1f59b8c52019d2a946ddff1996e13fbadac1ed518278a281267f440ea3ea4
Tags:	32dllexe
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Emotet

Sigma detected: Emotet RunDLL32 Process Creation

Changes security center settings (notifications, updates, antivirus, firewall)

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Connects to several IPs in different countries

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 4348 cmdline: loaddll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 6596 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6628 cmdline: rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6120 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6560 cmdline: rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5116 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gcdru\wqnupsxlnfqvhei.gop",rRrsbNdtBW MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4104 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gcdru\wqnupsxlnfqvhei.gop",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5744 cmdline: rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,awrrqyparpkpycx MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6132 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5976 cmdline: rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,bcnxvrdkfysosxtof MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5984 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 1896 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

svchost.exe (PID: 6644 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6768 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5092 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 7076 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 4360 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 4548 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 4544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 1356 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5340 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2584 cmdline: C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 400 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000000F.00000002.753889449.0000000002DB5000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000001.00000002.622227585.0000000000E90000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000001.00000002.622259831.0000000000EFC000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.582748176.0000000000675000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.754640431.0000000004700000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.604540735.0000000000AAA000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.585390946.0000000002F10000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.622753667.0000000002DEA000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.604509096.0000000000990000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.585330942.0000000002E36000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.582699855.0000000000400000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.622693429.0000000002CB0000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author
7.2.rundll32.exe.ac4248.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.2e041f0.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.2cb0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.400000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.990000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.990000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.400000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.ac4248.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.2f10000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.2cb0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.2.loaddll32.exe.f0e3f0.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.2.loaddll32.exe.f0e3f0.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.2.loaddll32.exe.e90000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.4700000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.2.loaddll32.exe.e90000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.4700000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.2f10000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.2e041f0.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 13 entries

Sigma Overview

System Summary:

Sigma detected: Emotet RunDLL32 Process Creation

Show sources

Source: Process started

Author: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gcdru\wqnupsxlnfqvhei.gop",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gcdru\wqnupsxlnfqvhei.gop",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gcdru\wqnupsxlnfqvhei.gop",rRrsbNdtBW, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 5116, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gcdru\wqnupsxlnfqvhei.gop",Control_RunDLL, ProcessId: 4104

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 1.2.loaddll32.exe.f0e3f0.1.raw.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}

Multi AV Scanner detection for submitted file

Show sources

Source: snBYiBAMB2.dll

Virustotal: Detection: 24%

Perma Link

Source: snBYiBAMB2.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: snBYiBAMB2.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA2BA20 FindFirstFileExW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA2BA20 FindFirstFileExW,

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 46.55.222.11:443
Source: Malware configuration extractor	IPs: 104.245.52.73:8080
Source: Malware configuration extractor	IPs: 41.76.108.46:8080
Source: Malware configuration extractor	IPs: 103.8.26.103:8080
Source: Malware configuration extractor	IPs: 185.184.25.237:8080
Source: Malware configuration extractor	IPs: 103.8.26.102:8080
Source: Malware configuration extractor	IPs: 203.114.109.124:443
Source: Malware configuration extractor	IPs: 45.118.115.99:8080
Source: Malware configuration extractor	IPs: 178.79.147.66:8080
Source: Malware configuration extractor	IPs: 58.227.42.236:80
Source: Malware configuration extractor	IPs: 45.118.135.203:7080
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 195.154.133.20:443
Source: Malware configuration extractor	IPs: 45.142.114.231:8080
Source: Malware configuration extractor	IPs: 212.237.5.209:443
Source: Malware configuration extractor	IPs: 207.38.84.195:8080
Source: Malware configuration extractor	IPs: 104.251.214.46:8080
Source: Malware configuration extractor	IPs: 212.237.17.99:8080
Source: Malware configuration extractor	IPs: 212.237.56.116:7080
Source: Malware configuration extractor	IPs: 216.158.226.206:443
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 158.69.222.101:443
Source: Malware configuration extractor	IPs: 107.182.225.142:8080
Source: Malware configuration extractor	IPs: 176.104.106.96:8080
Source: Malware configuration extractor	IPs: 81.0.236.90:443
Source: Malware configuration extractor	IPs: 50.116.54.215:443
Source: Malware configuration extractor	IPs: 138.185.72.26:8080
Source: Malware configuration extractor	IPs: 51.68.175.8:8080
Source: Malware configuration extractor	IPs: 210.57.217.132:8080

Source: Joe Sandbox View	ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View	ASN Name: ARUBA-ASNIT ARUBA-ASNIT
Source: Joe Sandbox View	ASN Name: RACKCORP-APRackCorpAU RACKCORP-APRackCorpAU

Source: Joe Sandbox View	IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View	IP Address: 212.237.17.99 212.237.17.99

Source: unknown

Network traffic detected: IP country count 18

Source: svchost.exe, 0000000A.00000002.439435350.000002A54E413000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000006.00000002.799830333.0000027046841000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000006.00000002.799830333.0000027046841000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000006.00000002.799830333.0000027046841000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.combled
Source: svchost.exe, 00000006.00000002.799830333.0000027046841000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000006.00000002.799830333.0000027046841000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000006.00000002.799830333.0000027046841000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000A.00000003.414059377.000002A54E45D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000002.454072150.000002A54E459000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000A.00000002.444157014.000002A54E429000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000002.454072150.000002A54E459000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000A.00000003.410874299.000002A54E468000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.459059998.000002A54E46A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000003.414087604.000002A54E445000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.449956261.000002A54E44C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000A.00000002.454072150.000002A54E459000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000A.00000002.444157014.000002A54E429000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000A.00000003.412843267.000002A54E45F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.457686821.000002A54E460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000A.00000002.444157014.000002A54E429000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000002.454072150.000002A54E459000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.448544315.000002A54E440000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000A.00000003.414059377.000002A54E45D000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000002.454072150.000002A54E459000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.444157014.000002A54E429000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000002.447740433.000002A54E43D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000A.00000002.448544315.000002A54E440000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000A.00000002.444157014.000002A54E429000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000A.00000002.447740433.000002A54E43D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000A.00000003.414087604.000002A54E445000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.449956261.000002A54E44C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 7.2.rundll32.exe.ac4248.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2e041f0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2cb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.ac4248.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2f10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2cb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.f0e3f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.f0e3f0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.e90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.4700000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.4700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2e041f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.753889449.0000000002DB5000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.622227585.0000000000E90000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.622259831.0000000000EFC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.582748176.0000000000675000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.754640431.0000000004700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.604540735.0000000000AAA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.585390946.0000000002F10000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.622753667.0000000002DEA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.604509096.0000000000990000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.585330942.0000000002E36000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.582699855.0000000000400000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.622693429.0000000002CB0000.00000040.00000010.sdmp, type: MEMORY

System Summary:

Source: snBYiBAMB2.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Gcdru\wqnupsxlnfqvhei.gop:Zone.Identifier

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Gcdru\

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA057C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA062C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA2AE28
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA31F65
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA12C70
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA1FD1F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA21D50
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA02B50
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA358EF
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA0E6B0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA357CB
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA30569
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA09380
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA1C366
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA340B7
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA1C132
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F306EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1AEB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F256A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1F699
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2604E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2BA18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F291F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2E7DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F289DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2ED95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F12B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1196D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F18D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F23130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F18112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F15314
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1BEF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F320F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1E6FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1A8E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F30AD3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F27EDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F154C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2B0BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F23ABE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1F4A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F204A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F168AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1D899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1C69B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F13085
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F31C71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2E478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F30C66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2645F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F20A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F13E3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2CC3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F20824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F21C12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F32C16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1F20D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F11DF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2D5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F16BFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F335E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1B7EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1FBEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F213DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F15DC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F139C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F12DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F24DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F20FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2BFA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F277A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F133A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F26B91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F31987
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1F984
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F17D87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1938F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2C772
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F12575
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F12176
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1597D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F25B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2F561
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F32560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F19565
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F15166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1DD66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1996C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1635F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F14F42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2C145
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F3314A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F32D4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1E336
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F17739
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2473A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F16125
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2CF2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1B12E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F14716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F28518
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F33306
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2D10B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2710D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA057C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA062C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA1FEEA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA2AE28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA31F65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA12C70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA1FD1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA21D50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA02B50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA358EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA0E6B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA357CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA30569
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA09380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA1C366
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA340B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA1C132
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004206EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041ED95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041604E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041645F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00420C66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00421C71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041E478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040F20D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00411C12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00422C16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041BA18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00410824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00410A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00403E3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041CC3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004054C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00420AD3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00417EDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040A8E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040BEF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004220F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040E6FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00403085
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040F699
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040D899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040C69B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004104A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040F4A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004156A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004068AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040AEB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041B0BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00413ABE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00404F42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041C145
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0042314A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00422D4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00408D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040635F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041F561
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00422560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00409565
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00405166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040DD66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040996C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040196D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041C772
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00402575
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00402176
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00402B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00415B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040597D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00423306
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041D10B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041710D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00408112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00405314
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00404716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00418518
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00406125
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041CF2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040B12E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00413130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040E336
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00407739
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041473A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00405DC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004039C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00414DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00410FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00402DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004113DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041E7DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004189DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004235E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040B7EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040FBEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004191F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00401DF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00406BFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041D5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040F984
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00421987
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00407D87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040938F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041BFA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004177A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004033A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CD06EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CCED95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB54C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC7EDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CD0AD3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CBA8E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CD20F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CBE6FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CBBEF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB3085
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CBC69B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CBF699
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CBD899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC56A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB68AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC04A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CBF4A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC3ABE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CBAEB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CCB0BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC604E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC645F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CD0C66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CCE478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CD1C71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CBF20D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CCBA18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CD2C16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC1C12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC0824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB3E3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CCCC3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC0A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB5DC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB39C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC4DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC0FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB2DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CCE7DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC89DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC13DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CBFBEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CBB7EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CD35E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB1DF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CCD5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB6BFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC91F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB938F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CD1987
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB7D87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CBF984
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB33A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC77A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CCBFA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CD2D4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CD314A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB4F42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CCC145
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB8D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB635F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB196D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB996C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CCF561
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB5166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CBDD66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CD2560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB9565
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC5B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB597D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB2B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB2176
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CCC772
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB2575
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC710D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CCD10B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CD3306
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC8518
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB8112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB4716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB5314
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CCCF2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CBB12E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB6125
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB7739
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC473A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC3130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CBE336
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_047206EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471ED95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04721C71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471E478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04720C66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471645F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471604E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04710A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04703E3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471CC3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04710824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04711C12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04722C16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471BA18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470F20D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470BEF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_047220F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470E6FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470A8E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04720AD3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04717EDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_047054C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470AEB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471B0BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04713ABE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_047104A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470F4A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_047156A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_047068AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470F699
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470D899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470C69B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04703085
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471C772
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04702575
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04702176
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04702B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04715B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470597D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471F561
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04722560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04709565
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04705166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470DD66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470996C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470196D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04708D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470635F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04704F42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471C145
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0472314A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04722D4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04713130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470E336
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04707739
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471473A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04706125
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471CF2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470B12E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04708112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04705314
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04704716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04718518
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04723306
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471D10B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471710D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_047191F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04701DF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04706BFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471D5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_047235E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470B7EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470FBEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_047113DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471E7DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_047189DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04705DC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_047039C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04714DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04710FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04702DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471BFA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_047177A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_047033A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470F984
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04721987
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04707D87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470938F

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6EA14F90 appears 52 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6EA14F90 appears 52 times

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA01460 zwijaemkuj,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA01460 zwijaemkuj,

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Source: snBYiBAMB2.dll

Binary or memory string: OriginalFilenameCtqfbxsirs.dll6 vs snBYiBAMB2.dll

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll

Source: snBYiBAMB2.dll

Virustotal: Detection: 24%

Source: snBYiBAMB2.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",#1
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,awrrqyparpkpycx
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,bcnxvrdkfysosxtof
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gcdru\wqnupsxlnfqvhei.gop",rRrsbNdtBW
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gcdru\wqnupsxlnfqvhei.gop",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,awrrqyparpkpycx
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,bcnxvrdkfysosxtof
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gcdru\wqnupsxlnfqvhei.gop",rRrsbNdtBW
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gcdru\wqnupsxlnfqvhei.gop",Control_RunDLL

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: classification engine

Classification label: mal88.troj.evad.winDLL@35/2@0/29

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6EA0AF10 CoCreateInstance,OleRun,

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,Control_RunDLL

Source: C:\Windows\System32\conhost.exe

Mutant created: \BaseNamedObjects\Local\SM0:4544:120:WilError_01

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6EA057C0 GetTickCount64,FindResourceA,

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: snBYiBAMB2.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: snBYiBAMB2.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: snBYiBAMB2.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: snBYiBAMB2.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: snBYiBAMB2.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: snBYiBAMB2.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA14FE0 push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA373E1 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1151C push ds; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1150F push ds; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA14FE0 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA0E240 push esi; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA373E1 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040150F push ds; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040151C push ds; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB150F push ds; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB151C push ds; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470151C push ds; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470150F push ds; ret

Source: snBYiBAMB2.dll

Static PE information: real checksum: 0x80fdc should be: 0x7ce11

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Gcdru\wqnupsxlnfqvhei.gop

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Gcdru\wqnupsxlnfqvhei.gop:Zone.Identifier read attributes | delete

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006EA06300 second address: 000000006EA0633E instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+000000D8h], ecx 0x0000000a test edx, edx 0x0000000c jne 00007FCC48AEDA29h 0x0000000e mov edi, 05AF0528h 0x00000013 mov dword ptr [esp+10h], edi 0x00000017 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006EA06300 second address: 000000006EA0633E instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+000000D8h], ecx 0x0000000a test edx, edx 0x0000000c jne 00007FCC48AC4769h 0x0000000e mov edi, 05AF0528h 0x00000013 mov dword ptr [esp+10h], edi 0x00000017 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006EA07995 second address: 000000006EA079BD instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jne 00007FCC48AEDA1Eh 0x00000007 mov ebx, 0544B55Bh 0x0000000c rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006EA07995 second address: 000000006EA079BD instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jne 00007FCC48AC475Eh 0x00000007 mov ebx, 0544B55Bh 0x0000000c rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006EA06300 second address: 000000006EA0633E instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+000000D8h], ecx 0x0000000a test edx, edx 0x0000000c jne 00007FCC48AEDA29h 0x0000000e mov edi, 05AF0528h 0x00000013 mov dword ptr [esp+10h], edi 0x00000017 rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006EA07995 second address: 000000006EA079BD instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jne 00007FCC48AC475Eh 0x00000007 mov ebx, 0544B55Bh 0x0000000c rdtscp

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6EA062C0 rdtscp

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA2BA20 FindFirstFileExW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA2BA20 FindFirstFileExW,

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Source: svchost.exe, 00000006.00000002.799830333.0000027046841000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.799410994.00000207A9429000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6EA14E67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6EA1744C GetProcessHeap,HeapFree,

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6EA062C0 rdtscp

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA062C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA062C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA24F94 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA07A30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA2B715 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA17334 mov esi, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F24315 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA062C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA062C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA24F94 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA07A30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA2B715 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA17334 mov esi, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00414315 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC4315 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04714315 mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA14E67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA1461A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA1D436 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA14E67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA1461A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA1D436 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",#1

Source: rundll32.exe, 0000001D.00000002.798403758.0000000002C70000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: rundll32.exe, 0000001D.00000002.798403758.0000000002C70000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 0000001D.00000002.798403758.0000000002C70000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 0000001D.00000002.798403758.0000000002C70000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\System32\loaddll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\loaddll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6EA14C86 cpuid

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6EA14FF7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: svchost.exe, 0000000C.00000002.799608607.000002126D43D000.00000004.00000001.sdmp	Binary or memory string: (@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 0000000C.00000002.799352659.000002126D429000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.800023296.000002126D502000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 7.2.rundll32.exe.ac4248.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2e041f0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2cb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.ac4248.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2f10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2cb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.f0e3f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.f0e3f0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.e90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.4700000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.4700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2e041f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.753889449.0000000002DB5000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.622227585.0000000000E90000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.622259831.0000000000EFC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.582748176.0000000000675000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.754640431.0000000004700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.604540735.0000000000AAA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.585390946.0000000002F10000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.622753667.0000000002DEA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.604509096.0000000000990000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.585330942.0000000002E36000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.582699855.0000000000400000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.622693429.0000000002CB0000.00000040.00000010.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	DLL Side-Loading1	Process Injection12	Masquerading2	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Disable or Modify Tools1	LSASS Memory	Security Software Discovery151	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	File and Directory Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	System Information Discovery123	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Rundll321	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	DLL Side-Loading1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	File Deletion1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
snBYiBAMB2.dll	25%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
7.2.rundll32.exe.990000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
5.2.rundll32.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.2cb0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
1.2.loaddll32.exe.e90000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
15.2.rundll32.exe.4700000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
4.2.rundll32.exe.2f10000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.combled	0%	Avira URL Cloud	safe
https://dynamic.t	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 0000000A.00000002.444157014.000002A54E429000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 0000000A.00000002.448544315.000002A54E440000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/	svchost.exe, 0000000A.00000002.454072150.000002A54E459000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 0000000A.00000003.410874299.000002A54E468000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.459059998.000002A54E46A000.00000004.00000001.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 0000000A.00000003.414087604.000002A54E445000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.449956261.000002A54E44C000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 0000000A.00000002.444157014.000002A54E429000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 0000000A.00000002.454072150.000002A54E459000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.448544315.000002A54E440000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 0000000A.00000002.444157014.000002A54E429000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 0000000A.00000002.444157014.000002A54E429000.00000004.00000001.sdmp	false		high
https://%s.xboxlive.com	svchost.exe, 00000006.00000002.799830333.0000027046841000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000A.00000003.414087604.000002A54E445000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.449956261.000002A54E44C000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000A.00000002.447740433.000002A54E43D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 0000000A.00000003.414059377.000002A54E45D000.00000004.00000001.sdmp	false		high
https://%s.xboxlive.combled	svchost.exe, 00000006.00000002.799830333.0000027046841000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000000A.00000002.454072150.000002A54E459000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 0000000A.00000003.412843267.000002A54E45F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.457686821.000002A54E460000.00000004.00000001.sdmp	false		high
https://dynamic.t	svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 0000000A.00000002.447740433.000002A54E43D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 0000000A.00000002.454072150.000002A54E459000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp	false		high
https://activity.windows.com	svchost.exe, 00000006.00000002.799830333.0000027046841000.00000004.00000001.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 0000000A.00000002.439435350.000002A54E413000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.444157014.000002A54E429000.00000004.00000001.sdmp	false		high
https://%s.dnet.xboxlive.com	svchost.exe, 00000006.00000002.799830333.0000027046841000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000000A.00000002.454072150.000002A54E459000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 0000000A.00000003.414059377.000002A54E45D000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
195.154.133.20	unknown	France	12876	OnlineSASFR	true
212.237.17.99	unknown	Italy	31034	ARUBA-ASNIT	true
110.232.117.186	unknown	Australia	56038	RACKCORP-APRackCorpAU	true
104.245.52.73	unknown	United States	63251	METRO-WIRELESSUS	true
138.185.72.26	unknown	Brazil	264343	EmpasoftLtdaMeBR	true
81.0.236.90	unknown	Czech Republic	15685	CASABLANCA-ASInternetCollocationProviderCZ	true
45.118.115.99	unknown	Indonesia	131717	IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID	true
103.75.201.2	unknown	Thailand	133496	CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH	true
216.158.226.206	unknown	United States	19318	IS-AS-1US	true
107.182.225.142	unknown	United States	32780	HOSTINGSERVICES-INCUS	true
45.118.135.203	unknown	Japan	63949	LINODE-APLinodeLLCUS	true
50.116.54.215	unknown	United States	63949	LINODE-APLinodeLLCUS	true
51.68.175.8	unknown	France	16276	OVHFR	true
103.8.26.102	unknown	Malaysia	132241	SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY	true
46.55.222.11	unknown	Bulgaria	34841	BALCHIKNETBG	true
41.76.108.46	unknown	South Africa	327979	DIAMATRIXZA	true
103.8.26.103	unknown	Malaysia	132241	SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY	true
178.79.147.66	unknown	United Kingdom	63949	LINODE-APLinodeLLCUS	true
212.237.5.209	unknown	Italy	31034	ARUBA-ASNIT	true
176.104.106.96	unknown	Serbia	198371	NINETRS	true
207.38.84.195	unknown	United States	30083	AS-30083-GO-DADDY-COM-LLCUS	true
212.237.56.116	unknown	Italy	31034	ARUBA-ASNIT	true
45.142.114.231	unknown	Germany	44066	DE-FIRSTCOLOwwwfirst-colonetDE	true
203.114.109.124	unknown	Thailand	131293	TOT-LLI-AS-APTOTPublicCompanyLimitedTH	true
210.57.217.132	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
58.227.42.236	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
185.184.25.237	unknown	Turkey	209711	MUVHOSTTR	true
158.69.222.101	unknown	Canada	16276	OVHFR	true
104.251.214.46	unknown	United States	54540	INCERO-HVVCUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	532249
Start date:	01.12.2021
Start time:	21:39:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 49s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	snBYiBAMB2 (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.troj.evad.winDLL@35/2@0/29
EGA Information:	Failed
HDC Information:	Successful, ratio: 36.9% (good quality ratio 35.2%) Quality average: 72.1% Quality standard deviation: 25.3%
HCA Information:	Successful, ratio: 78% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe Excluded IPs from analysis (whitelisted): 23.54.113.53, 23.35.236.56, 52.251.79.25, 40.91.112.76, 20.54.110.249 Excluded domains from analysis (whitelisted): client.wns.windows.com, displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:42:37	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
195.154.133.20	6zAcNlJXo7.dll	Get hash	malicious	Browse
	6zAcNlJXo7.dll	Get hash	malicious	Browse
	mal.dll	Get hash	malicious	Browse
	mal2.dll	Get hash	malicious	Browse
	mal.dll	Get hash	malicious	Browse
	mal2.dll	Get hash	malicious	Browse
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse
	9sQccNfqAR.dll	Get hash	malicious	Browse
	FILE_464863409880121918.xlsm	Get hash	malicious	Browse
	9sQccNfqAR.dll	Get hash	malicious	Browse
	t3XtgyQEoe.dll	Get hash	malicious	Browse
	t3XtgyQEoe.dll	Get hash	malicious	Browse
	SCAN_35292280954166786.xlsm	Get hash	malicious	Browse
	U4pi8WRxNJ.dll	Get hash	malicious	Browse
	oERkAQeB4d.dll	Get hash	malicious	Browse
	FC9fpZrma1.dll	Get hash	malicious	Browse
	Z4HpRSQD6I.dll	Get hash	malicious	Browse
	uLCt7sc5se.dll	Get hash	malicious	Browse
	rGF1Xgw9Il.dll	Get hash	malicious	Browse
212.237.17.99	6zAcNlJXo7.dll	Get hash	malicious	Browse
	6zAcNlJXo7.dll	Get hash	malicious	Browse
	mal.dll	Get hash	malicious	Browse
	mal2.dll	Get hash	malicious	Browse
	mal.dll	Get hash	malicious	Browse
	mal2.dll	Get hash	malicious	Browse
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse
	9sQccNfqAR.dll	Get hash	malicious	Browse
	FILE_464863409880121918.xlsm	Get hash	malicious	Browse
	9sQccNfqAR.dll	Get hash	malicious	Browse
	t3XtgyQEoe.dll	Get hash	malicious	Browse
	t3XtgyQEoe.dll	Get hash	malicious	Browse
	SCAN_35292280954166786.xlsm	Get hash	malicious	Browse
	U4pi8WRxNJ.dll	Get hash	malicious	Browse
	oERkAQeB4d.dll	Get hash	malicious	Browse
	FC9fpZrma1.dll	Get hash	malicious	Browse
	Z4HpRSQD6I.dll	Get hash	malicious	Browse
	uLCt7sc5se.dll	Get hash	malicious	Browse
	rGF1Xgw9Il.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ARUBA-ASNIT	6zAcNlJXo7.dll	Get hash	malicious	Browse	212.237.56.116
	6zAcNlJXo7.dll	Get hash	malicious	Browse	212.237.56.116
	DHL DOCUMENT FOR #504.exe	Get hash	malicious	Browse	62.149.128.40
	RqgAGRvHNwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	RqgAGRvHNwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	dFUOuTxFQrXAwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	RbrKCqqjDPUwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	dFUOuTxFQrXAwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	RbrKCqqjDPUwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	mal.dll	Get hash	malicious	Browse	212.237.56.116
	mal2.dll	Get hash	malicious	Browse	212.237.56.116
	mal.dll	Get hash	malicious	Browse	212.237.56.116
	GYRxsMXKtvwSwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	KsXtuXmxoZvgudVwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	xTpcaEZvwmHqwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	mal2.dll	Get hash	malicious	Browse	212.237.56.116
	GYRxsMXKtvwSwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	KsXtuXmxoZvgudVwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	xTpcaEZvwmHqwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	invoice template 33142738819.docx	Get hash	malicious	Browse	94.177.217.88
RACKCORP-APRackCorpAU	6zAcNlJXo7.dll	Get hash	malicious	Browse	110.232.117.186
	6zAcNlJXo7.dll	Get hash	malicious	Browse	110.232.117.186
	mal.dll	Get hash	malicious	Browse	110.232.117.186
	mal2.dll	Get hash	malicious	Browse	110.232.117.186
	mal.dll	Get hash	malicious	Browse	110.232.117.186
	mal2.dll	Get hash	malicious	Browse	110.232.117.186
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse	110.232.117.186
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse	110.232.117.186
	9sQccNfqAR.dll	Get hash	malicious	Browse	110.232.117.186
	FILE_464863409880121918.xlsm	Get hash	malicious	Browse	110.232.117.186
	9sQccNfqAR.dll	Get hash	malicious	Browse	110.232.117.186
	t3XtgyQEoe.dll	Get hash	malicious	Browse	110.232.117.186
	t3XtgyQEoe.dll	Get hash	malicious	Browse	110.232.117.186
	SCAN_35292280954166786.xlsm	Get hash	malicious	Browse	110.232.117.186
	U4pi8WRxNJ.dll	Get hash	malicious	Browse	110.232.117.186
	oERkAQeB4d.dll	Get hash	malicious	Browse	110.232.117.186
	FC9fpZrma1.dll	Get hash	malicious	Browse	110.232.117.186
	Z4HpRSQD6I.dll	Get hash	malicious	Browse	110.232.117.186
	uLCt7sc5se.dll	Get hash	malicious	Browse	110.232.117.186
	rGF1Xgw9Il.dll	Get hash	malicious	Browse	110.232.117.186
OnlineSASFR	6zAcNlJXo7.dll	Get hash	malicious	Browse	195.154.133.20
	6zAcNlJXo7.dll	Get hash	malicious	Browse	195.154.133.20
	mal.dll	Get hash	malicious	Browse	195.154.133.20
	mal2.dll	Get hash	malicious	Browse	195.154.133.20
	mal.dll	Get hash	malicious	Browse	195.154.133.20
	mal2.dll	Get hash	malicious	Browse	195.154.133.20
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse	195.154.133.20
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse	195.154.133.20
	spZRMihlrkFGqYq1f.dll	Get hash	malicious	Browse	195.154.146.35
	spZRMihlrkFGqYq1f.dll	Get hash	malicious	Browse	195.154.146.35
	AtlanticareINV25-67431254.htm	Get hash	malicious	Browse	51.15.17.195
	9sQccNfqAR.dll	Get hash	malicious	Browse	195.154.133.20
	FILE_464863409880121918.xlsm	Get hash	malicious	Browse	195.154.133.20
	9sQccNfqAR.dll	Get hash	malicious	Browse	195.154.133.20
	t3XtgyQEoe.dll	Get hash	malicious	Browse	195.154.133.20
	t3XtgyQEoe.dll	Get hash	malicious	Browse	195.154.133.20
	67MPsax8fd.exe	Get hash	malicious	Browse	163.172.208.8
	Linux_x86	Get hash	malicious	Browse	212.83.174.79
	184285013-044310-Factura pendiente (2).exe	Get hash	malicious	Browse	212.83.130.20
	MTjXit7IJn	Get hash	malicious	Browse	51.158.219.54

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log Download File
Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	9062
Entropy (8bit):	3.1623855628144644
Encrypted:	false
SSDEEP:	192:cY+38+DJl+ibJ6+ioJJ+i3N+WtT+E9tD+Ett3d+E3z0+Ut:j+s+v+b+P+m+0+Q+q+D+Ut
MD5:	71CC33C92A040B1FBB33C0B71A141AAB
SHA1:	26E36B3FD6648A8FA719479E373D00B2D72AFE79
SHA-256:	65C9951C6373E80FA3F6F9F1A6A2B05082185D6853C773A25A0496F86465616D
SHA-512:	E4A5134CE42793DCF68BE8F1342E0D7CAD0ADAECAF3296FCA70D1EB309A8B1545BF084FB17637105606D10FB2CE6E195629146217D2000BCEB72AB819D8E4D6A
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20211202_054042_931.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.8115487201863103
Encrypted:	false
SSDEEP:	96:dC+Po+/a5P+9l/YzWCj/I2lAikSe4dsT2XjFzFNMCDdJR8j5KgNMCQj5dNMCPj5E:0UxNmE2DUJC/PCTCPC2JCBCo
MD5:	895A0530F6008758BC78F45AC359A9CE
SHA1:	CCEA51FC004374A10657E58991084ECB8A5B6131
SHA-256:	87576788303323CCA1677CE84483904037EB48013D4F174A0CBAB030BD14CE7C
SHA-512:	FA65B859797DE4B7BE48432A09E86E76C64612139EF58BB8C71DB1363DE7A0B81754673197D642D441B046FE8700A3636D9D3A9BF0E8705E42AB9686A8B44ED2
Malicious:	false
Preview:	.... ... ....................................... ...!...........................h...p...J........................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1..................................................................... ........%?...........8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.1.1.2.0.2._.0.5.4.0.4.2._.9.3.1...e.t.l.........P.P.h...p...J.......................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.186195017328645
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	snBYiBAMB2.dll
File size:	472064
MD5:	4bd80b1d18138b1808925ddb69991001
SHA1:	2a78af27a95639c1095e4f8a411a8efb9c861abc
SHA256:	32f1f59b8c52019d2a946ddff1996e13fbadac1ed518278a281267f440ea3ea4
SHA512:	d4488b660326344b71e74fb7f8fccd6a51b9f0d34266eb1c05d8d03c511f3e2a6665ee168afa96a35a25fcf99e92aa7845f4f3be0dd5c590c628c4c7d0a69819
SSDEEP:	12288:bRCSNg9VtfjQRVcVTd4qoxHbGeJsjEyP79iAM7/3+/Z1:NCh5sQTgxsjEUinE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........a~..............f.......f..T....u.......u.......u.......f.......f.......f..........%...Du......Du......Du..............Du.....

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10014c2e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61A7B2CD [Wed Dec 1 17:37:17 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	171ec87b04dbf6cc5aa2b57f2bec0e02

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FCC484EC527h
call 00007FCC484EC92Dh
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007FCC484EC3D3h
add esp, 0Ch
pop ebp
retn 000Ch
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 1003A3D0h
mov dword ptr [ecx], 1003A3C8h
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FCC484EC4FFh
push 10049E1Ch
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FCC484EFC2Eh
int3
push ebp
mov ebp, esp
and dword ptr [1004D888h], 00000000h
sub esp, 24h
or dword ptr [1004C00Ch], 01h
push 0000000Ah
call dword ptr [1003A0C4h]
test eax, eax
je 00007FCC484EC6CFh
and dword ptr [ebp-10h], 00000000h
xor eax, eax
push ebx
push esi
push edi
xor ecx, ecx
lea edi, dword ptr [ebp-24h]
push ebx
cpuid
mov esi, ebx
pop ebx
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
xor ecx, ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-24h]
mov edi, dword ptr [ebp-1Ch]
mov dword ptr [ebp-0Ch], eax
xor edi, 6C65746Eh
mov eax, dword ptr [ebp-18h]
xor eax, 49656E69h
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp-20h]
xor eax, 756E6547h
mov dword ptr [ebp-04h], eax
xor eax, eax
inc eax
push ebx
cpuid

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x4a8e0	0x6bc	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4af9c	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4f000	0x24448	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x74000	0x2cb4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x46678	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3a000	0x2e8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x385cc	0x38600	False	0.541457351718	data	6.65488747706	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x3a000	0x11f44	0x12000	False	0.496636284722	data	5.5177662601	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4c000	0x23d4	0x1600	False	0.225852272727	data	3.92752770482	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x4f000	0x24448	0x24600	False	0.805768094931	data	7.67601542511	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x74000	0x2cb4	0x2e00	False	0.726647418478	data	6.54150636624	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
TYPELIB	0x72c30	0x670	data	English	United States
RT_BITMAP	0x4f190	0x23867	data	Russian	Russia
RT_STRING	0x732a0	0x26	data	English	United States
RT_VERSION	0x729f8	0x238	data	English	United States
RT_MANIFEST	0x732c8	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
pdh.dll	PdhValidatePathW, PdhGetFormattedCounterValue, PdhCollectQueryData, PdhCloseQuery, PdhRemoveCounter, PdhAddCounterW, PdhOpenQueryW
KERNEL32.dll	GetCurrentThreadId, GetEnvironmentStringsW, FlushProcessWriteBuffers, GetCurrentProcessorNumber, GetLastError, GetCurrentProcess, GetCommandLineW, TlsAlloc, MultiByteToWideChar, RaiseException, InitializeCriticalSectionEx, DeleteCriticalSection, DecodePointer, EnterCriticalSection, LeaveCriticalSection, LoadResource, SizeofResource, FindResourceW, GetModuleHandleW, GetProcAddress, LoadLibraryExW, GetModuleFileNameW, lstrcmpiW, FreeLibrary, MulDiv, SetLastError, DisableThreadLibraryCalls, IsProcessorFeaturePresent, SetFilePointerEx, GetFileSizeEx, GetConsoleMode, GetConsoleCP, WriteFile, GetACP, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, FreeEnvironmentStringsW, GetCommandLineA, IsValidCodePage, FindNextFileW, FindFirstFileExW, HeapReAlloc, HeapSize, GetFileType, GetStdHandle, GetModuleHandleExW, ExitProcess, TlsFree, TlsSetValue, TlsGetValue, InitializeCriticalSectionAndSpinCount, InterlockedFlushSList, RtlUnwind, LoadLibraryExA, VirtualFree, VirtualAlloc, FlushInstructionCache, InterlockedPushEntrySList, InterlockedPopEntrySList, HeapFree, HeapAlloc, OutputDebugStringW, GetCPInfo, GetThreadLocale, GetOEMCP, GetThreadErrorMode, GetTickCount, GetProcessHeap, CloseHandle, ReadFile, FindClose, IsDebuggerPresent, UnregisterApplicationRestart, GetTickCount64, ReadConsoleW, SetStdHandle, CreateFileW, WriteConsoleW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, FlushFileBuffers, GetStringTypeW, LCMapStringEx, EncodePointer, LocalFree, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentProcessId, QueryPerformanceCounter, GetStartupInfoW, TerminateProcess
USER32.dll	GetCapture, GetActiveWindow, EmptyClipboard, GetForegroundWindow, GetClipboardSequenceNumber, GetDesktopWindow, CountClipboardFormats, CallWindowProcW, DrawTextW, InsertMenuW, RegisterClassExW, LoadCursorW, GetClassInfoExW, DefWindowProcW, IsWindow, GetParent, SetTimer, ShowWindow, InvalidateRect, ReleaseDC, GetDC, EndPaint, BeginPaint, ClientToScreen, GetClientRect, SendMessageW, DestroyWindow, CreateWindowExW, GetWindowLongW, SetWindowLongW, CharNextW, UnregisterClassW, CloseClipboard, AnyPopup, IsProcessDPIAware, GetMessageTime
GDI32.dll	SetBkMode, CreateFontW, DeleteDC, BitBlt, CreateCompatibleDC, CreateCompatibleBitmap, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, GdiFlush, SetTextColor
ADVAPI32.dll	RegDeleteValueW, RegQueryInfoKeyW, RegSetValueExW, RegEnumKeyExW, RegCloseKey, RegDeleteKeyW, RegCreateKeyExW, RegOpenKeyExW
SHELL32.dll	SHGetFolderPathW, ShellExecuteW
ole32.dll	CoCreateInstance, CoInitialize, OleRun, CoTaskMemAlloc, CoTaskMemRealloc, CoTaskMemFree
OLEAUT32.dll	SysFreeString, SysAllocString, SysStringLen, VarBstrCmp, VariantInit, SysAllocStringLen, VariantCopy, VariantChangeType, VarUI4FromStr, LoadTypeLib, LoadRegTypeLib, VariantClear

Exports

Name	Ordinal	Address
Control_RunDLL	1	0x10001200
awrrqyparpkpycx	2	0x10001350
bcnxvrdkfysosxtof	3	0x10001300
bkthnbqipwkpwbuqn	4	0x10001440
blhbenztkdwg	5	0x10001310
blyqbdpbh	6	0x100015a0
bntxpwehhpaojhbqb	7	0x10001260
cdmahnzd	8	0x10001490
cestjqdez	9	0x10001540
ctckagthn	10	0x10001240
dasxnlwgrpainp	11	0x100015b0
dvftcymvsa	12	0x100012a0
dwgavci	13	0x10001590
eabfguyuttqf	14	0x10001320
ejtkhwatnfrlrr	15	0x100013f0
eomwtglrqfutbo	16	0x100013c0
frpzizrlrcgr	17	0x10001570
gbdiswsds	18	0x10001280
gcmzsgn	19	0x100012f0
gqfwwufmukqeio	20	0x100014b0
hcnqnfylg	21	0x10001610
hhcdvbefdscafwa	22	0x10001520
htzzzgduzk	23	0x10001380
icxceeklnawczpwc	24	0x10001480
jahiwehoyrycsjhf	25	0x10001360
jgoglnajycfrlk	26	0x10001510
jiyrjpoumdwxexxsv	27	0x100013a0
jtqskxtgkrkia	28	0x10001270
kbvifuif	29	0x10001600
kputsvjabepsnzox	30	0x10001530
lmmbdiqa	31	0x10001640
lpbmrlvinpqalyd	32	0x100013b0
mfeamwllbq	33	0x10001370
mutwgttswogaa	34	0x10001450
ngxkyaylt	35	0x100013e0
nogpzigjdf	36	0x10001330
nrnuphftbngzc	37	0x10001400
nxjosmfchcjxsr	38	0x100015e0
onxxivtoov	39	0x10001560
oskjmlpxjpcxnlzl	40	0x10001470
pevxjgue	41	0x100012e0
qqedzerkzspr	42	0x100012b0
qtvjelwfroyj	43	0x10001660
qwmwbtewatvhnva	44	0x10001410
qznyvarzsmhpjpx	45	0x10001500
rjtbflwz	46	0x10001240
rmlylgegemvlohqmb	47	0x10001430
rzbjjhcysrzuum	48	0x10001650
sdkesgqtpetexasn	49	0x10001390
szoxdysyyzkhjkn	50	0x100014f0
tflxdiilstfp	51	0x100015f0
tkldqyrppxwplz	52	0x10001630
tkzbqgarrm	53	0x10001230
upsxxlezh	54	0x100013d0
vuhxpaqaemgxeob	55	0x100014c0
vvvqeplpriipkgtv	56	0x10001340
wntjrfbwziesleuyp	57	0x10001420
wuqulebvho	58	0x10001250
xjsxvfowvjvdcbgz	59	0x100015c0
xovnlwuunlqusqqq	60	0x10001550
xpcbxiugz	61	0x100014e0
ydjlotnbubccokwt	62	0x100014a0
ydysedvaagyxiyrt	63	0x10001290
yisncivd	64	0x10001380
ymaojtetv	65	0x100012c0
ypprhtipwpldcl	66	0x100012d0
zclangwoeoirusft	67	0x100015d0
zfykixsa	68	0x100014d0
ztgisvyh	69	0x10001620
zwijaemkuj	70	0x10001460
zzniuhcueiwdb	71	0x10001580

Version Infos

Description	Data
InternalName	Ctqfbxsirs.dll
FileVersion	8.8.7.8
ProductName	Ctqfbxsirs
ProductVersion	8.8.7.8
FileDescription	rqdads
OriginalFilename	Ctqfbxsirs.dll
Translation	0x0408 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Russian	Russia

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 4348 Parent PID: 5828

General

Start time:	21:40:05
Start date:	01/12/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll"
Imagebase:	0x980000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000001.00000002.622227585.0000000000E90000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000001.00000002.622259831.0000000000EFC000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: cmd.exe PID: 6596 Parent PID: 4348

General

Start time:	21:40:05
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",#1
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6560 Parent PID: 4348

General

Start time:	21:40:06
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,Control_RunDLL
Imagebase:	0xc50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.585390946.0000000002F10000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.585330942.0000000002E36000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 6628 Parent PID: 6596

General

Start time:	21:40:06
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",#1
Imagebase:	0xc50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.582748176.0000000000675000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.582699855.0000000000400000.00000040.00000010.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: svchost.exe PID: 6644 Parent PID: 572

General

Start time:	21:40:09
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 5744 Parent PID: 4348

General

Start time:	21:40:10
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,awrrqyparpkpycx
Imagebase:	0xc50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.604540735.0000000000AAA000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.604509096.0000000000990000.00000040.00000010.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 5976 Parent PID: 4348

General

Start time:	21:40:14
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,bcnxvrdkfysosxtof
Imagebase:	0xc50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.622753667.0000000002DEA000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.622693429.0000000002CB0000.00000040.00000010.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: svchost.exe PID: 6768 Parent PID: 572

General

Start time:	21:40:25
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 5092 Parent PID: 572

General

Start time:	21:40:43
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: SgrmBroker.exe PID: 7076 Parent PID: 572

General

Start time:	21:41:04
Start date:	01/12/2021
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff7b1450000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 4360 Parent PID: 572

General

Start time:	21:41:16
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6120 Parent PID: 6628

General

Start time:	21:42:27
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL
Imagebase:	0x7ff682a50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 5116 Parent PID: 6560

General

Start time:	21:42:28
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gcdru\wqnupsxlnfqvhei.gop",rRrsbNdtBW
Imagebase:	0xc50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.753889449.0000000002DB5000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.754640431.0000000004700000.00000040.00000001.sdmp, Author: Joe Security

Analysis Process: MpCmdRun.exe PID: 4548 Parent PID: 4360

General

Start time:	21:42:33
Start date:	01/12/2021
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff7059e0000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 4544 Parent PID: 4548

General

Start time:	21:42:34
Start date:	01/12/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6225d0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 6132 Parent PID: 5744

General

Start time:	21:42:34
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL
Imagebase:	0xc50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 5984 Parent PID: 5976

General

Start time:	21:42:46
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL
Imagebase:	0xc50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 1896 Parent PID: 4348

General

Start time:	21:42:47
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL
Imagebase:	0xc50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 1356 Parent PID: 572

General

Start time:	21:42:56
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 5340 Parent PID: 572

General

Start time:	21:43:34
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 2584 Parent PID: 572

General

Start time:	21:43:40
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 4104 Parent PID: 5116

General

Start time:	21:43:44
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gcdru\wqnupsxlnfqvhei.gop",Control_RunDLL
Imagebase:	0xc50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 400 Parent PID: 572

General

Start time:	21:43:56
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report snBYiBAMB2

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

Behavior

System Behavior