Windows Analysis Report
G

Overview

General Information

Sample Name: G (renamed file extension from none to dll)
Analysis ID: 562446
MD5: 630b6dad3884c5f5d7ed81c5bb29cdbb
SHA1: a613c00841a31bc27a0c9bdf4f210d6c6aceaac6
SHA256: d393bc3918eb1f83e3e3b481ada09a63931b366137e5a7c5542f32ac4ddad4bb
Tags: dll
Infos:

Detection

Emotet
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Found malware configuration
Source: 6.2.rundll32.exe.4ff0000.5.unpack Malware Configuration Extractor: Emotet {"C2 list": ["160.16.102.168:80", "131.100.24.231:80", "200.17.134.35:7080", "207.38.84.195:8080", "212.237.56.116:7080", "58.227.42.236:80", "104.251.214.46:8080", "158.69.222.101:443", "192.254.71.210:443", "46.55.222.11:443", "45.118.135.203:7080", "107.182.225.142:8080", "103.75.201.2:443", "104.168.155.129:8080", "195.154.133.20:443", "159.8.59.82:8080", "110.232.117.186:8080", "45.142.114.231:8080", "41.76.108.46:8080", "203.114.109.124:443", "50.116.54.215:443", "209.59.138.75:7080", "185.157.82.211:8080", "164.68.99.3:8080", "162.214.50.39:7080", "138.185.72.26:8080", "178.63.25.185:443", "51.15.4.22:443", "81.0.236.90:443", "216.158.226.206:443", "45.176.232.124:443", "162.243.175.63:443", "212.237.17.99:8080", "45.118.115.99:8080", "129.232.188.93:443", "173.214.173.220:8080", "178.79.147.66:8080", "176.104.106.96:8080", "51.38.71.0:443", "173.212.193.249:8080", "217.182.143.207:443", "212.24.98.99:8080", "159.89.230.105:443", "79.172.212.216:8080", "212.237.5.209:443"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}
Multi AV Scanner detection for submitted file
Source: G.dll Virustotal: Detection: 14% Perma Link
Machine Learning detection for sample
Source: G.dll Joe Sandbox ML: detected

Compliance
barindex
Uses 32bit PE files
Source: G.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 2_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 3_2_10021854

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 160.16.102.168 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 160.16.102.168:80
Source: Malware configuration extractor IPs: 131.100.24.231:80
Source: Malware configuration extractor IPs: 200.17.134.35:7080
Source: Malware configuration extractor IPs: 207.38.84.195:8080
Source: Malware configuration extractor IPs: 212.237.56.116:7080
Source: Malware configuration extractor IPs: 58.227.42.236:80
Source: Malware configuration extractor IPs: 104.251.214.46:8080
Source: Malware configuration extractor IPs: 158.69.222.101:443
Source: Malware configuration extractor IPs: 192.254.71.210:443
Source: Malware configuration extractor IPs: 46.55.222.11:443
Source: Malware configuration extractor IPs: 45.118.135.203:7080
Source: Malware configuration extractor IPs: 107.182.225.142:8080
Source: Malware configuration extractor IPs: 103.75.201.2:443
Source: Malware configuration extractor IPs: 104.168.155.129:8080
Source: Malware configuration extractor IPs: 195.154.133.20:443
Source: Malware configuration extractor IPs: 159.8.59.82:8080
Source: Malware configuration extractor IPs: 110.232.117.186:8080
Source: Malware configuration extractor IPs: 45.142.114.231:8080
Source: Malware configuration extractor IPs: 41.76.108.46:8080
Source: Malware configuration extractor IPs: 203.114.109.124:443
Source: Malware configuration extractor IPs: 50.116.54.215:443
Source: Malware configuration extractor IPs: 209.59.138.75:7080
Source: Malware configuration extractor IPs: 185.157.82.211:8080
Source: Malware configuration extractor IPs: 164.68.99.3:8080
Source: Malware configuration extractor IPs: 162.214.50.39:7080
Source: Malware configuration extractor IPs: 138.185.72.26:8080
Source: Malware configuration extractor IPs: 178.63.25.185:443
Source: Malware configuration extractor IPs: 51.15.4.22:443
Source: Malware configuration extractor IPs: 81.0.236.90:443
Source: Malware configuration extractor IPs: 216.158.226.206:443
Source: Malware configuration extractor IPs: 45.176.232.124:443
Source: Malware configuration extractor IPs: 162.243.175.63:443
Source: Malware configuration extractor IPs: 212.237.17.99:8080
Source: Malware configuration extractor IPs: 45.118.115.99:8080
Source: Malware configuration extractor IPs: 129.232.188.93:443
Source: Malware configuration extractor IPs: 173.214.173.220:8080
Source: Malware configuration extractor IPs: 178.79.147.66:8080
Source: Malware configuration extractor IPs: 176.104.106.96:8080
Source: Malware configuration extractor IPs: 51.38.71.0:443
Source: Malware configuration extractor IPs: 173.212.193.249:8080
Source: Malware configuration extractor IPs: 217.182.143.207:443
Source: Malware configuration extractor IPs: 212.24.98.99:8080
Source: Malware configuration extractor IPs: 159.89.230.105:443
Source: Malware configuration extractor IPs: 79.172.212.216:8080
Source: Malware configuration extractor IPs: 212.237.5.209:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View ASN Name: S-NET-ASPL S-NET-ASPL
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View IP Address: 185.157.82.211 185.157.82.211
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 21
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: svchost.exe, 00000023.00000003.567347594.0000020CDDF87000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
Source: svchost.exe, 00000023.00000003.567347594.0000020CDDF87000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
Source: svchost.exe, 00000023.00000003.567358074.0000020CDDF98000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.567347594.0000020CDDF87000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-21T16:24:38.4044683Z||.||031efeb6-e916-442f-a665-3e8426d4bc5a||1152921505694396307||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000023.00000003.567358074.0000020CDDF98000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.567347594.0000020CDDF87000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-21T16:24:38.4044683Z||.||031efeb6-e916-442f-a665-3e8426d4bc5a||1152921505694396307||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000007.00000002.613162045.0000028857899000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.585963155.0000020CDDF00000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000007.00000002.613054115.000002885780D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: 77EC63BDA74BD0D0E0426DC8F80085060.10.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 0000000A.00000003.327062871.0000000005222000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.328137684.0000000005221000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.328543955.0000000005221000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.772376808.0000000005221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ccd0eebeef977
Source: svchost.exe, 00000023.00000003.561038722.0000020CDDF5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.560595902.0000020CDDF91000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 0000000D.00000002.308972985.000002C185413000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000B.00000002.771126375.000001F988044000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000B.00000002.771126375.000001F988044000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000B.00000002.771126375.000001F988044000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000D.00000003.308075068.000002C185450000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000B.00000002.771095332.000001F988029000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000B.00000002.771095332.000001F988029000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000D.00000003.308210317.000002C18544B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000D.00000003.308210317.000002C18544B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.309019486.000002C18544D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000D.00000003.308075068.000002C185450000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000D.00000002.309007019.000002C18543E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000D.00000003.308210317.000002C18544B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.309019486.000002C18544D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000D.00000002.309044741.000002C18546A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.307872220.000002C185468000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000D.00000003.308075068.000002C185450000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000D.00000003.308361693.000002C18542C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.308991389.000002C18542D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000D.00000003.286009108.000002C185430000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000D.00000003.308210317.000002C18544B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.309019486.000002C18544D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000D.00000003.308075068.000002C185450000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000D.00000002.309007019.000002C18543E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000D.00000003.308075068.000002C185450000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000D.00000003.308075068.000002C185450000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000D.00000003.308075068.000002C185450000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000D.00000003.286009108.000002C185430000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000D.00000002.309011405.000002C185442000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.308572343.000002C185441000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000D.00000003.286009108.000002C185430000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000D.00000002.309011405.000002C185442000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.308572343.000002C185441000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000D.00000003.308075068.000002C185450000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000D.00000003.308361693.000002C18542C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.309015058.000002C185447000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.308429108.000002C185446000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000D.00000003.286009108.000002C185430000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
Source: svchost.exe, 00000023.00000003.561038722.0000020CDDF5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.560595902.0000020CDDF91000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000D.00000003.308210317.000002C18544B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000D.00000002.309015058.000002C185447000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.308429108.000002C185446000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000D.00000002.309015058.000002C185447000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.308429108.000002C185446000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000D.00000003.307980966.000002C185464000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000D.00000003.308075068.000002C185450000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000D.00000002.309007019.000002C18543E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.286009108.000002C185430000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000D.00000003.308372123.000002C185438000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.286009108.000002C185430000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000D.00000003.286009108.000002C185430000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=
Source: svchost.exe, 0000000D.00000002.309007019.000002C18543E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000D.00000002.309007019.000002C18543E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.308972985.000002C185413000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000D.00000003.308372123.000002C185438000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.286009108.000002C185430000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000D.00000003.308475328.000002C185445000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000D.00000003.308372123.000002C185438000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.286009108.000002C185430000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000D.00000003.308372123.000002C185438000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.286009108.000002C185430000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.309002264.000002C185438000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000D.00000003.308361693.000002C18542C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.308991389.000002C18542D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 00000023.00000003.561038722.0000020CDDF5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.560595902.0000020CDDF91000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000023.00000003.561038722.0000020CDDF5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.560595902.0000020CDDF91000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000023.00000003.562388514.0000020CDDFAC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.562676725.0000020CDDF95000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.562660746.0000020CDDF84000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.562744963.0000020CDE402000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.562510238.0000020CDDFAC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10012C30 _memset,connect,send,recv, 0_2_10012C30

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.261420321.000000000145B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 2_2_1001B43F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 3_2_1001B43F

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: G.dll, type: SAMPLE
Source: Yara match File source: 2.2.regsvr32.exe.4160000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5250000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4680000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.52e0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4ff0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4f10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2a30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2d80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4bc0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5a00000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5340000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4fc0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4e20000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.49f0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5440000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.57d0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5250000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.5170000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4eb0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5280000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.32a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.44d0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.5170000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.53e0000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5a30000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2d80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.32a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4f70000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5830000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5480000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4cf0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.5080000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4e20000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5620000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4ec0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.5360000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4ec0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.57d0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4e80000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.5390000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4e80000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5890000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.5360000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.53c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.54f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.4af0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4650000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5310000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4bc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.4af0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.44a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.49a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.49c0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.50c0000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5310000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2a60000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.54f0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5830000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.4130000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.54b0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.4b40000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.5080000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.49c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5860000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4ef0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5890000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4ee0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.44a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.51a0000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4f70000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4fa0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.53e0000.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.52b0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5800000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4fc0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.4130000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2a30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.52b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5a00000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.5410000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.58c0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4e50000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.53c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5480000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4ee0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4650000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2db0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.771427491.00000000044D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.253283949.0000000004681000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.771965666.0000000004EB1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.271372941.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.275329419.0000000004B41000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.272139717.0000000005341000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.271889554.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.252624792.0000000004161000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.261577474.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.274576456.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.252652791.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.772505137.0000000005391000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.771607352.00000000049F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.272090559.00000000052E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.272206669.00000000054B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.276875884.0000000005861000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.274675979.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.772451917.0000000005360000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.274922446.0000000005621000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.272121589.0000000005310000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.772785811.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.272067370.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.276956910.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.276851297.0000000005830000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.275561648.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.772550066.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.272183835.0000000005480000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.771696556.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.261493646.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.271716926.0000000004F11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.772088368.0000000004FA1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.772195967.00000000050C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.271915479.0000000004FF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.272014124.0000000005281000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.275830029.0000000005801000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.274491459.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.277008171.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.772607036.0000000005411000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.271693542.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.771329130.00000000044A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.771770201.0000000004CF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.274638425.0000000005441000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.271987224.0000000005250000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.772052651.0000000004F70000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.770804161.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.271513878.00000000049A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.274516629.0000000004EF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.771574854.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.252573847.0000000004130000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.275452087.00000000057D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.274906583.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.771910511.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.261522396.0000000002DB1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.276976546.0000000005A31000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.276938225.00000000058C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.771839455.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.772278952.00000000051A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.772140071.0000000005080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.770959380.0000000002A61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.772251780.0000000005170000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.272247152.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.771878250.0000000004E51000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.276919244.0000000005890000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.253256451.0000000004650000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.253348428.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

System Summary
barindex
Uses 32bit PE files
Source: G.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Hqelimm\rmkavwi.ypm:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Ewgbbnt\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10036007 0_2_10036007
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10041050 0_2_10041050
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10040B0E 0_2_10040B0E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1003130F 0_2_1003130F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10041C56 0_2_10041C56
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10036007 2_2_10036007
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10041050 2_2_10041050
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003130F 2_2_1003130F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10030460 2_2_10030460
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10041592 2_2_10041592
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003E59F 2_2_1003E59F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10040B0E 2_2_10040B0E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10041C56 2_2_10041C56
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10036CB5 2_2_10036CB5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001CD16 2_2_1001CD16
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10042D21 2_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10036007 3_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10041050 3_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003130F 3_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10030460 3_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10041592 3_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003E59F 3_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10040B0E 3_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10041C56 3_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10036CB5 3_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001CD16 3_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10042D21 3_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EFF8FD 4_2_04EFF8FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F09EEC 4_2_04F09EEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F020BA 4_2_04F020BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F0044F 4_2_04F0044F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EF3C3C 4_2_04EF3C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EF9011 4_2_04EF9011
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EF7FF2 4_2_04EF7FF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EF59F2 4_2_04EF59F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F113AD 4_2_04F113AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F04116 4_2_04F04116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F0DCF7 4_2_04F0DCF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EF4EE3 4_2_04EF4EE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EF64E2 4_2_04EF64E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EFAEFB 4_2_04EFAEFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F0A2E8 4_2_04F0A2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EFE2CC 4_2_04EFE2CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EFB2C7 4_2_04EFB2C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F0DEDC 4_2_04F0DEDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F05CC4 4_2_04F05CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EFD6D8 4_2_04EFD6D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F066CA 4_2_04F066CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EF70B3 4_2_04EF70B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EFEE81 4_2_04EFEE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EFF09B 4_2_04EFF09B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EFEA99 4_2_04EFEA99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F01889 4_2_04F01889
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F0907F 4_2_04F0907F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EF5E60 4_2_04EF5E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F0A666 4_2_04F0A666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F0AE6D 4_2_04F0AE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F00E53 4_2_04F00E53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F10056 4_2_04F10056
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EF4C5D 4_2_04EF4C5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EF1A56 4_2_04EF1A56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F06C49 4_2_04F06C49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EF2051 4_2_04EF2051
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EF2251 4_2_04EF2251
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F0AA30 4_2_04F0AA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F0C631 4_2_04F0C631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F0F435 4_2_04F0F435
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F0AC3A 4_2_04F0AC3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F10E3A 4_2_04F10E3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EF3E3F 4_2_04EF3E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F0BE27 4_2_04F0BE27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EF7C37 4_2_04EF7C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F10C14 4_2_04F10C14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F00001 4_2_04F00001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F08606 4_2_04F08606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EF4816 4_2_04EF4816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F06DF8 4_2_04F06DF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F095FA 4_2_04F095FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F08BE3 4_2_04F08BE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F0DBEA 4_2_04F0DBEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EFDFF3 4_2_04EFDFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EF9DCF 4_2_04EF9DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EFE5CF 4_2_04EFE5CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F07DD5 4_2_04F07DD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EF2BD9 4_2_04EF2BD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F09BCF 4_2_04F09BCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F109B5 4_2_04F109B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F0C3A0 4_2_04F0C3A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EF51BB 4_2_04EF51BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F07BA6 4_2_04F07BA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EF81B7 4_2_04EF81B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F0E395 4_2_04F0E395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EFAB87 4_2_04EFAB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EF9B83 4_2_04EF9B83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F04B87 4_2_04F04B87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F0D389 4_2_04F0D389
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EFE991 4_2_04EFE991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EF8969 4_2_04EF8969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EF5361 4_2_04EF5361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EFBB7E 4_2_04EFBB7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F0176B 4_2_04F0176B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F02550 4_2_04F02550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EFB74D 4_2_04EFB74D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EF5548 4_2_04EF5548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EFCF47 4_2_04EFCF47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EF4346 4_2_04EF4346
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F0CB5B 4_2_04F0CB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EFA55F 4_2_04EFA55F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F0894B 4_2_04F0894B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F10F33 4_2_04F10F33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EF6D24 4_2_04EF6D24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F0473C 4_2_04F0473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EF8B3D 4_2_04EF8B3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F0BB23 4_2_04F0BB23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EF7735 4_2_04EF7735
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F08519 4_2_04F08519
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F00B19 4_2_04F00B19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04EF9714 4_2_04EF9714
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10032B38 appears 45 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10030D5A appears 41 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 100200FD appears 36 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10030D27 appears 143 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10032B38 appears 45 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030D5A appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10030D27 appears 125 times
Sample file is different than original file name gathered from version info
Source: G.dll Binary or memory string: OriginalFilenameFinalChatSocketCli.exe> vs G.dll
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: G.dll Virustotal: Detection: 14%
Source: G.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\G.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\G.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\G.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\G.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\G.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\G.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\G.dll",DllRegisterServer
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\G.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hqelimm\rmkavwi.ypm",YOtq
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Hqelimm\rmkavwi.ypm",DllRegisterServer
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\G.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\G.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\G.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\G.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\G.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\G.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\G.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hqelimm\rmkavwi.ypm",YOtq Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Hqelimm\rmkavwi.ypm",DllRegisterServer Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal92.troj.evad.winDLL@33/9@0/46
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\G.dll",#1
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3940:120:WilError_01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100125C0 _printf,FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,_malloc, 0_2_100125C0
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: G.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: G.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: G.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: G.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: G.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10032B7D push ecx; ret 0_2_10032B90
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10032B7D push ecx; ret 2_2_10032B90
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10030DFF push ecx; ret 2_2_10030E12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10032B7D push ecx; ret 3_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10030DFF push ecx; ret 3_2_10030E12
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 0_2_1003D873
PE file contains an invalid checksum
Source: G.dll Static PE information: real checksum: 0x8df98 should be: 0x88912
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\G.dll

Persistence and Installation Behavior
barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Hqelimm\rmkavwi.ypm Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Ewgbbnt\oudxseiqb.wun:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Hqelimm\rmkavwi.ypm:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100134F0 IsIconic, 2_2_100134F0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect, 2_2_10018C9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100134F0 IsIconic, 3_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect, 3_2_10018C9A
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\svchost.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6168 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3016 Thread sleep time: -180000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\System32\loaddll32.exe API coverage: 6.4 %
Source: C:\Windows\SysWOW64\regsvr32.exe API coverage: 3.4 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.8 %
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10030334 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect, 0_2_10030334
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 2_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 3_2_10021854
Source: C:\Windows\SysWOW64\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000007.00000002.613112741.000002885785F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.585901787.0000020CDD6F6000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000007.00000002.613098931.0000028857849000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.612842226.0000028852229000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.585890269.0000020CDD6EB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.585790893.0000020CDD671000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000B.00000002.771126375.000001F988044000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.771113068.00000238D1829000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging
barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_1002F81E
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 0_2_1003D873
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10030A37 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,GetCurrentThreadId,__freeptd, 0_2_10030A37
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04F04087 mov eax, dword ptr fs:[00000030h] 4_2_04F04087
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_1002F81E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_10037657
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_1002F81E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_1003ACCC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_1003ACCC

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 160.16.102.168 80 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\G.dll",#1 Jump to behavior

Language, Device and Operating System Detection
barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 0_2_10014B71
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA, 2_2_1003F570
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 2_2_10043730
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 2_2_10014B71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 3_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 3_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 3_2_10014B71
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1003DAA7 cpuid 0_2_1003DAA7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1003906D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_1003906D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003CE1A __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 2_2_1003CE1A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10030A37 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,GetCurrentThreadId,__freeptd, 0_2_10030A37

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 0000000F.00000002.770926389.000001D663A3D000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: @V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000F.00000002.770982746.000001D663B02000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: G.dll, type: SAMPLE
Source: Yara match File source: 2.2.regsvr32.exe.4160000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5250000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4680000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.52e0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4ff0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4f10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2a30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2d80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4bc0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5a00000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5340000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4fc0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4e20000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.49f0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5440000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.57d0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5250000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.5170000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4eb0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5280000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.32a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.44d0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.5170000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.53e0000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5a30000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2d80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.32a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4f70000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5830000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5480000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4cf0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.5080000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4e20000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5620000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4ec0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.5360000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4ec0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.57d0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4e80000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.5390000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4e80000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5890000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.5360000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.53c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.54f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.4af0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4650000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5310000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4bc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.4af0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.44a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.49a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.49c0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.50c0000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5310000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2a60000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.54f0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5830000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.4130000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.54b0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.4b40000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.5080000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.49c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5860000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4ef0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5890000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4ee0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.44a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.51a0000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4f70000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4fa0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.53e0000.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.52b0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5800000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4fc0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.4130000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2a30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.52b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.5a00000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.5410000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.58c0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.4e50000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.53c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5480000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.4ee0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4650000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2db0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.771427491.00000000044D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.253283949.0000000004681000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.771965666.0000000004EB1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.271372941.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.275329419.0000000004B41000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.272139717.0000000005341000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.271889554.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.252624792.0000000004161000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.261577474.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.274576456.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.252652791.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.772505137.0000000005391000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.771607352.00000000049F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.272090559.00000000052E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.272206669.00000000054B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.276875884.0000000005861000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.274675979.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.772451917.0000000005360000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.274922446.0000000005621000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.272121589.0000000005310000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.772785811.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.272067370.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.276956910.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.276851297.0000000005830000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.275561648.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.772550066.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.272183835.0000000005480000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.771696556.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.261493646.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.271716926.0000000004F11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.772088368.0000000004FA1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.772195967.00000000050C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.271915479.0000000004FF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.272014124.0000000005281000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.275830029.0000000005801000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.274491459.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.277008171.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.772607036.0000000005411000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.271693542.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.771329130.00000000044A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.771770201.0000000004CF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.274638425.0000000005441000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.271987224.0000000005250000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.772052651.0000000004F70000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.770804161.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.271513878.00000000049A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.274516629.0000000004EF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.771574854.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.252573847.0000000004130000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.275452087.00000000057D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.274906583.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.771910511.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.261522396.0000000002DB1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.276976546.0000000005A31000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.276938225.00000000058C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.771839455.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.772278952.00000000051A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.772140071.0000000005080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.770959380.0000000002A61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.772251780.0000000005170000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.272247152.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.771878250.0000000004E51000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.276919244.0000000005890000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.253256451.0000000004650000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.253348428.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562446 Sample: G Startdate: 28/01/2022 Architecture: WINDOWS Score: 92 49 129.232.188.93 xneeloZA South Africa 2->49 51 162.214.50.39 UNIFIEDLAYER-AS-1US United States 2->51 53 42 other IPs or domains 2->53 57 Found malware configuration 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Yara detected Emotet 2->61 63 3 other signatures 2->63 11 loaddll32.exe 1 2->11         started        13 svchost.exe 2->13         started        16 svchost.exe 9 1 2->16         started        19 9 other processes 2->19 signatures3 process4 dnsIp5 21 cmd.exe 1 11->21         started        23 rundll32.exe 2 11->23         started        26 regsvr32.exe 11->26         started        28 rundll32.exe 11->28         started        71 Changes security center settings (notifications, updates, antivirus, firewall) 13->71 30 MpCmdRun.exe 1 13->30         started        47 127.0.0.1 unknown unknown 16->47 signatures6 process7 signatures8 32 rundll32.exe 21->32         started        67 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->67 34 rundll32.exe 26->34         started        36 conhost.exe 30->36         started        process9 process10 38 rundll32.exe 2 32->38         started        signatures11 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->65 41 rundll32.exe 38->41         started        process12 process13 43 rundll32.exe 41->43         started        dnsIp14 55 160.16.102.168, 49768, 80 SAKURA-BSAKURAInternetIncJP Japan 43->55 69 System process connects to network (likely due to code injection or exploit) 43->69 signatures15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.154.133.20
 unknown France
12876 OnlineSASFR true
185.157.82.211
 unknown Poland
42927 S-NET-ASPL true
212.237.17.99
 unknown Italy
31034 ARUBA-ASNIT true
79.172.212.216
 unknown Hungary
61998 SZERVERPLEXHU true
110.232.117.186
 unknown Australia
56038 RACKCORP-APRackCorpAU true
173.214.173.220
 unknown United States
19318 IS-AS-1US true
212.24.98.99
 unknown Lithuania
62282 RACKRAYUABRakrejusLT true
138.185.72.26
 unknown Brazil
264343 EmpasoftLtdaMeBR true
178.63.25.185
 unknown Germany
24940 HETZNER-ASDE true
160.16.102.168
 unknown Japan 9370 SAKURA-BSAKURAInternetIncJP true
81.0.236.90
 unknown Czech Republic
15685 CASABLANCA-ASInternetCollocationProviderCZ true
103.75.201.2
 unknown Thailand
133496 CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH true
216.158.226.206
 unknown United States
19318 IS-AS-1US true
45.118.115.99
 unknown Indonesia
131717 IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID true
51.15.4.22
 unknown France
12876 OnlineSASFR true
159.89.230.105
 unknown United States
14061 DIGITALOCEAN-ASNUS true
162.214.50.39
 unknown United States
46606 UNIFIEDLAYER-AS-1US true
200.17.134.35
 unknown Brazil
1916 AssociacaoRedeNacionaldeEnsinoePesquisaBR true
217.182.143.207
 unknown France
16276 OVHFR true
107.182.225.142
 unknown United States
32780 HOSTINGSERVICES-INCUS true
51.38.71.0
 unknown France
16276 OVHFR true
45.118.135.203
 unknown Japan 63949 LINODE-APLinodeLLCUS true
50.116.54.215
 unknown United States
63949 LINODE-APLinodeLLCUS true
131.100.24.231
 unknown Brazil
61635 GOPLEXTELECOMUNICACOESEINTERNETLTDA-MEBR true
46.55.222.11
 unknown Bulgaria
34841 BALCHIKNETBG true
41.76.108.46
 unknown South Africa
327979 DIAMATRIXZA true
173.212.193.249
 unknown Germany
51167 CONTABODE true
45.176.232.124
 unknown Colombia
267869 CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC true
178.79.147.66
 unknown United Kingdom
63949 LINODE-APLinodeLLCUS true
212.237.5.209
 unknown Italy
31034 ARUBA-ASNIT true
162.243.175.63
 unknown United States
14061 DIGITALOCEAN-ASNUS true
176.104.106.96
 unknown Serbia
198371 NINETRS true
207.38.84.195
 unknown United States
30083 AS-30083-GO-DADDY-COM-LLCUS true
164.68.99.3
 unknown Germany
51167 CONTABODE true
192.254.71.210
 unknown United States
64235 BIGBRAINUS true
212.237.56.116
 unknown Italy
31034 ARUBA-ASNIT true
104.168.155.129
 unknown United States
54290 HOSTWINDSUS true
45.142.114.231
 unknown Germany
44066 DE-FIRSTCOLOwwwfirst-colonetDE true
203.114.109.124
 unknown Thailand
131293 TOT-LLI-AS-APTOTPublicCompanyLimitedTH true
209.59.138.75
 unknown United States
32244 LIQUIDWEBUS true
159.8.59.82
 unknown United States
36351 SOFTLAYERUS true
129.232.188.93
 unknown South Africa
37153 xneeloZA true
58.227.42.236
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
158.69.222.101
 unknown Canada
16276 OVHFR true
104.251.214.46
 unknown United States
54540 INCERO-HVVCUS true

Private

IP
127.0.0.1