Windows Analysis Report
G

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 160.16.102.168:80
Source: Malware configuration extractor	IPs: 131.100.24.231:80
Source: Malware configuration extractor	IPs: 200.17.134.35:7080
Source: Malware configuration extractor	IPs: 207.38.84.195:8080
Source: Malware configuration extractor	IPs: 212.237.56.116:7080
Source: Malware configuration extractor	IPs: 58.227.42.236:80
Source: Malware configuration extractor	IPs: 104.251.214.46:8080
Source: Malware configuration extractor	IPs: 158.69.222.101:443
Source: Malware configuration extractor	IPs: 192.254.71.210:443
Source: Malware configuration extractor	IPs: 46.55.222.11:443
Source: Malware configuration extractor	IPs: 45.118.135.203:7080
Source: Malware configuration extractor	IPs: 107.182.225.142:8080
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 104.168.155.129:8080
Source: Malware configuration extractor	IPs: 195.154.133.20:443
Source: Malware configuration extractor	IPs: 159.8.59.82:8080
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 45.142.114.231:8080
Source: Malware configuration extractor	IPs: 41.76.108.46:8080
Source: Malware configuration extractor	IPs: 203.114.109.124:443
Source: Malware configuration extractor	IPs: 50.116.54.215:443
Source: Malware configuration extractor	IPs: 209.59.138.75:7080
Source: Malware configuration extractor	IPs: 185.157.82.211:8080
Source: Malware configuration extractor	IPs: 164.68.99.3:8080
Source: Malware configuration extractor	IPs: 162.214.50.39:7080
Source: Malware configuration extractor	IPs: 138.185.72.26:8080
Source: Malware configuration extractor	IPs: 178.63.25.185:443
Source: Malware configuration extractor	IPs: 51.15.4.22:443
Source: Malware configuration extractor	IPs: 81.0.236.90:443
Source: Malware configuration extractor	IPs: 216.158.226.206:443
Source: Malware configuration extractor	IPs: 45.176.232.124:443
Source: Malware configuration extractor	IPs: 162.243.175.63:443
Source: Malware configuration extractor	IPs: 212.237.17.99:8080
Source: Malware configuration extractor	IPs: 45.118.115.99:8080
Source: Malware configuration extractor	IPs: 129.232.188.93:443
Source: Malware configuration extractor	IPs: 173.214.173.220:8080
Source: Malware configuration extractor	IPs: 178.79.147.66:8080
Source: Malware configuration extractor	IPs: 176.104.106.96:8080
Source: Malware configuration extractor	IPs: 51.38.71.0:443
Source: Malware configuration extractor	IPs: 173.212.193.249:8080
Source: Malware configuration extractor	IPs: 217.182.143.207:443
Source: Malware configuration extractor	IPs: 212.24.98.99:8080
Source: Malware configuration extractor	IPs: 159.89.230.105:443
Source: Malware configuration extractor	IPs: 79.172.212.216:8080
Source: Malware configuration extractor	IPs: 212.237.5.209:443

Source: Joe Sandbox View	ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View	ASN Name: S-NET-ASPL S-NET-ASPL

Source: Joe Sandbox View	IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View	IP Address: 185.157.82.211 185.157.82.211

Source: unknown

Network traffic detected: IP country count 21

Source: unknown	TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown	TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown	TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown	TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown	TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown	TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown	TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown	TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown	TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown	TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown	TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown	TCP traffic detected without corresponding DNS query: 160.16.102.168

Source: svchost.exe, 00000023.00000003.567347594.0000020CDDF87000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
Source: svchost.exe, 00000023.00000003.567347594.0000020CDDF87000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
Source: svchost.exe, 00000023.00000003.567358074.0000020CDDF98000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.567347594.0000020CDDF87000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-21T16:24:38.4044683Z\|\|.\|\|031efeb6-e916-442f-a665-3e8426d4bc5a\|\|1152921505694396307\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000023.00000003.567358074.0000020CDDF98000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.567347594.0000020CDDF87000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-21T16:24:38.4044683Z\|\|.\|\|031efeb6-e916-442f-a665-3e8426d4bc5a\|\|1152921505694396307\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab

Source: svchost.exe, 00000007.00000002.613162045.0000028857899000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.585963155.0000020CDDF00000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000007.00000002.613054115.000002885780D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: 77EC63BDA74BD0D0E0426DC8F80085060.10.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 0000000A.00000003.327062871.0000000005222000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.328137684.0000000005221000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.328543955.0000000005221000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.772376808.0000000005221000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ccd0eebeef977
Source: svchost.exe, 00000023.00000003.561038722.0000020CDDF5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.560595902.0000020CDDF91000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 0000000D.00000002.308972985.000002C185413000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000B.00000002.771126375.000001F988044000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000B.00000002.771126375.000001F988044000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000B.00000002.771126375.000001F988044000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000D.00000003.308075068.000002C185450000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000B.00000002.771095332.000001F988029000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000B.00000002.771095332.000001F988029000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000D.00000003.308210317.000002C18544B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000D.00000003.308210317.000002C18544B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.309019486.000002C18544D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000D.00000003.308075068.000002C185450000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000D.00000002.309007019.000002C18543E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000D.00000003.308210317.000002C18544B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.309019486.000002C18544D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000D.00000002.309044741.000002C18546A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.307872220.000002C185468000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000D.00000003.308075068.000002C185450000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000D.00000003.308361693.000002C18542C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.308991389.000002C18542D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000D.00000003.286009108.000002C185430000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000D.00000003.308210317.000002C18544B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.309019486.000002C18544D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000D.00000003.308075068.000002C185450000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000D.00000002.309007019.000002C18543E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000D.00000003.308075068.000002C185450000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000D.00000003.308075068.000002C185450000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000D.00000003.308075068.000002C185450000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000D.00000003.286009108.000002C185430000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000D.00000002.309011405.000002C185442000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.308572343.000002C185441000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000D.00000003.286009108.000002C185430000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000D.00000002.309011405.000002C185442000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.308572343.000002C185441000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000D.00000003.308075068.000002C185450000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000D.00000003.308361693.000002C18542C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.309015058.000002C185447000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.308429108.000002C185446000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000D.00000003.286009108.000002C185430000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
Source: svchost.exe, 00000023.00000003.561038722.0000020CDDF5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.560595902.0000020CDDF91000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000D.00000003.308210317.000002C18544B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000D.00000002.309015058.000002C185447000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.308429108.000002C185446000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000D.00000002.309015058.000002C185447000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.308429108.000002C185446000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000D.00000003.307980966.000002C185464000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000D.00000003.308075068.000002C185450000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000D.00000002.309007019.000002C18543E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.286009108.000002C185430000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000D.00000003.308372123.000002C185438000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.286009108.000002C185430000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000D.00000003.286009108.000002C185430000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=
Source: svchost.exe, 0000000D.00000002.309007019.000002C18543E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000D.00000002.309007019.000002C18543E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.308972985.000002C185413000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000D.00000003.308372123.000002C185438000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.286009108.000002C185430000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000D.00000003.308475328.000002C185445000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000D.00000003.308372123.000002C185438000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.286009108.000002C185430000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000D.00000003.308372123.000002C185438000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.286009108.000002C185430000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.309002264.000002C185438000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000D.00000003.308361693.000002C18542C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.308991389.000002C18542D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 00000023.00000003.561038722.0000020CDDF5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.560595902.0000020CDDF91000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000023.00000003.561038722.0000020CDDF5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.560595902.0000020CDDF91000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000023.00000003.562388514.0000020CDDFAC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.562676725.0000020CDDF95000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.562660746.0000020CDDF84000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.562744963.0000020CDE402000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.562510238.0000020CDDFAC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10012C30 _memset,connect,send,recv,

0_2_10012C30

Source: loaddll32.exe, 00000000.00000002.261420321.000000000145B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		2_2_1001B43F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		3_2_1001B43F

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: G.dll, type: SAMPLE
Source: Yara match	File source: 2.2.regsvr32.exe.4160000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5250000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4680000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.52e0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4ff0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4f10000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2a30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2d80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.4bc0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5a00000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5340000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4fc0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.4e20000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.49f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5440000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.57d0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5250000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5170000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.4eb0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5280000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.32a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.44d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5170000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.53e0000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5a30000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2d80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.32a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.4f70000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5830000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5480000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.4cf0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5080000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.4e20000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5620000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4ec0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5360000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4ec0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.57d0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.4e80000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5390000.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.4e80000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5890000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5360000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.53c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.54f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.4af0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4650000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5310000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.4bc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.4af0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.44a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.49a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.49c0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.50c0000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5310000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2a60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.54f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5830000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.54b0000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.4b40000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5080000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.49c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5860000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4ef0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5890000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4ee0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.44a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.51a0000.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.4f70000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.4fa0000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.53e0000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.52b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5800000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4fc0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4130000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2a30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.52b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5a00000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5410000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.58c0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.4e50000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.53c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5480000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4ee0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4650000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2db0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.10000000.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.771427491.00000000044D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.253283949.0000000004681000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.771965666.0000000004EB1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.271372941.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.275329419.0000000004B41000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.272139717.0000000005341000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.271889554.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.252624792.0000000004161000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.261577474.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.274576456.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.252652791.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.772505137.0000000005391000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.771607352.00000000049F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.272090559.00000000052E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.272206669.00000000054B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.276875884.0000000005861000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.274675979.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.772451917.0000000005360000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.274922446.0000000005621000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.272121589.0000000005310000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.772785811.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.272067370.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.276956910.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.276851297.0000000005830000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.275561648.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.772550066.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.272183835.0000000005480000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.771696556.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.261493646.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.271716926.0000000004F11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.772088368.0000000004FA1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.772195967.00000000050C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.271915479.0000000004FF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.272014124.0000000005281000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.275830029.0000000005801000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.274491459.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.277008171.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.772607036.0000000005411000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.271693542.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.771329130.00000000044A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.771770201.0000000004CF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.274638425.0000000005441000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.271987224.0000000005250000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.772052651.0000000004F70000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.770804161.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.271513878.00000000049A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.274516629.0000000004EF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.771574854.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.252573847.0000000004130000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.275452087.00000000057D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.274906583.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.771910511.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.261522396.0000000002DB1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.276976546.0000000005A31000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.276938225.00000000058C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.771839455.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.772278952.00000000051A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.772140071.0000000005080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.770959380.0000000002A61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.772251780.0000000005170000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.272247152.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.771878250.0000000004E51000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.276919244.0000000005890000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.253256451.0000000004650000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.253348428.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

System Summary

Source: G.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Hqelimm\rmkavwi.ypm:Zone.Identifier

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Ewgbbnt\

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10036007	0_2_10036007
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10041050	0_2_10041050
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10040B0E	0_2_10040B0E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1003130F	0_2_1003130F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10041C56	0_2_10041C56
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10036007	2_2_10036007
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10041050	2_2_10041050
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1003130F	2_2_1003130F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10030460	2_2_10030460
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10041592	2_2_10041592
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1003E59F	2_2_1003E59F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10040B0E	2_2_10040B0E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10041C56	2_2_10041C56
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10036CB5	2_2_10036CB5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1001CD16	2_2_1001CD16
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10042D21	2_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10036007	3_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10041050	3_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1003130F	3_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10030460	3_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10041592	3_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1003E59F	3_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10040B0E	3_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10041C56	3_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10036CB5	3_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001CD16	3_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10042D21	3_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EFF8FD	4_2_04EFF8FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F09EEC	4_2_04F09EEC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F020BA	4_2_04F020BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F0044F	4_2_04F0044F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EF3C3C	4_2_04EF3C3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EF9011	4_2_04EF9011
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EF7FF2	4_2_04EF7FF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EF59F2	4_2_04EF59F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F113AD	4_2_04F113AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F04116	4_2_04F04116
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F0DCF7	4_2_04F0DCF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EF4EE3	4_2_04EF4EE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EF64E2	4_2_04EF64E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EFAEFB	4_2_04EFAEFB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F0A2E8	4_2_04F0A2E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EFE2CC	4_2_04EFE2CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EFB2C7	4_2_04EFB2C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F0DEDC	4_2_04F0DEDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F05CC4	4_2_04F05CC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EFD6D8	4_2_04EFD6D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F066CA	4_2_04F066CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EF70B3	4_2_04EF70B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EFEE81	4_2_04EFEE81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EFF09B	4_2_04EFF09B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EFEA99	4_2_04EFEA99
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F01889	4_2_04F01889
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F0907F	4_2_04F0907F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EF5E60	4_2_04EF5E60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F0A666	4_2_04F0A666
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F0AE6D	4_2_04F0AE6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F00E53	4_2_04F00E53
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F10056	4_2_04F10056
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EF4C5D	4_2_04EF4C5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EF1A56	4_2_04EF1A56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F06C49	4_2_04F06C49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EF2051	4_2_04EF2051
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EF2251	4_2_04EF2251
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F0AA30	4_2_04F0AA30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F0C631	4_2_04F0C631
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F0F435	4_2_04F0F435
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F0AC3A	4_2_04F0AC3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F10E3A	4_2_04F10E3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EF3E3F	4_2_04EF3E3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F0BE27	4_2_04F0BE27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EF7C37	4_2_04EF7C37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F10C14	4_2_04F10C14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F00001	4_2_04F00001
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F08606	4_2_04F08606
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EF4816	4_2_04EF4816
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F06DF8	4_2_04F06DF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F095FA	4_2_04F095FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F08BE3	4_2_04F08BE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F0DBEA	4_2_04F0DBEA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EFDFF3	4_2_04EFDFF3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EF9DCF	4_2_04EF9DCF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EFE5CF	4_2_04EFE5CF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F07DD5	4_2_04F07DD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EF2BD9	4_2_04EF2BD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F09BCF	4_2_04F09BCF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F109B5	4_2_04F109B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F0C3A0	4_2_04F0C3A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EF51BB	4_2_04EF51BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F07BA6	4_2_04F07BA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EF81B7	4_2_04EF81B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F0E395	4_2_04F0E395
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EFAB87	4_2_04EFAB87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EF9B83	4_2_04EF9B83
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F04B87	4_2_04F04B87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F0D389	4_2_04F0D389
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EFE991	4_2_04EFE991
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EF8969	4_2_04EF8969
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EF5361	4_2_04EF5361
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EFBB7E	4_2_04EFBB7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F0176B	4_2_04F0176B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F02550	4_2_04F02550
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EFB74D	4_2_04EFB74D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EF5548	4_2_04EF5548
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EFCF47	4_2_04EFCF47
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EF4346	4_2_04EF4346
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F0CB5B	4_2_04F0CB5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EFA55F	4_2_04EFA55F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F0894B	4_2_04F0894B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F10F33	4_2_04F10F33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EF6D24	4_2_04EF6D24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F0473C	4_2_04F0473C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EF8B3D	4_2_04EF8B3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F0BB23	4_2_04F0BB23
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EF7735	4_2_04EF7735
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F08519	4_2_04F08519
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04F00B19	4_2_04F00B19
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04EF9714	4_2_04EF9714

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10032B38 appears 45 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10030D5A appears 41 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 100200FD appears 36 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10030D27 appears 143 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10032B38 appears 45 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030D5A appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030D27 appears 125 times

Source: G.dll

Binary or memory string: OriginalFilenameFinalChatSocketCli.exe> vs G.dll

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll	Jump to behavior

Source: G.dll

Virustotal: Detection: 14%

Source: G.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\G.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\G.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\G.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\G.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\G.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\G.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\G.dll",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\G.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hqelimm\rmkavwi.ypm",YOtq
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Hqelimm\rmkavwi.ypm",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\G.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\G.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\G.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\G.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\G.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\G.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\G.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hqelimm\rmkavwi.ypm",YOtq	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Hqelimm\rmkavwi.ypm",DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: classification engine

Classification label: mal92.troj.evad.winDLL@33/9@0/46

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\G.dll",#1

Source: C:\Windows\System32\conhost.exe

Mutant created: \BaseNamedObjects\Local\SM0:3940:120:WilError_01

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_100125C0 _printf,FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,_malloc,

0_2_100125C0

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: G.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: G.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: G.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: G.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: G.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10032B7D push ecx; ret	0_2_10032B90
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10032B7D push ecx; ret	2_2_10032B90
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10030DFF push ecx; ret	2_2_10030E12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10032B7D push ecx; ret	3_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10030DFF push ecx; ret	3_2_10030E12

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,

0_2_1003D873

Source: G.dll

Static PE information: real checksum: 0x8df98 should be: 0x88912

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\G.dll

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Hqelimm\rmkavwi.ypm

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Ewgbbnt\oudxseiqb.wun:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Hqelimm\rmkavwi.ypm:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_100134F0 IsIconic,	2_2_100134F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect,	2_2_10018C9A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100134F0 IsIconic,	3_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect,	3_2_10018C9A

Source: C:\Windows\System32\svchost.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 6168	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3016	Thread sleep time: -180000s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\loaddll32.exe	API coverage: 6.4 %
Source: C:\Windows\SysWOW64\regsvr32.exe	API coverage: 3.4 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 3.8 %

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10030334 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect,

0_2_10030334

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,		2_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,		3_2_10021854

Source: C:\Windows\SysWOW64\regsvr32.exe	API call chain: ExitProcess graph end node			graph_2-25063
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node			graph_3-22835

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: svchost.exe, 00000007.00000002.613112741.000002885785F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.585901787.0000020CDD6F6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000007.00000002.613098931.0000028857849000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.612842226.0000028852229000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.585890269.0000020CDD6EB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.585790893.0000020CDD671000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000B.00000002.771126375.000001F988044000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.771113068.00000238D1829000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_1002F81E

Source: C:\Windows\System32\loaddll32.exe

0_2_1003D873

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10030A37 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,GetCurrentThreadId,__freeptd,

0_2_10030A37

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_04F04087 mov eax, dword ptr fs:[00000030h]

4_2_04F04087

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_1002F81E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_10037657
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_1002F81E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_1003ACCC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_1003ACCC

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 160.16.102.168 80

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\G.dll",#1

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,	0_2_10014B71
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,	2_2_1003F570
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	2_2_10043730
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,	2_2_10014B71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	3_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	3_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,	3_2_10014B71

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1003DAA7 cpuid

0_2_1003DAA7

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1003906D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_1003906D

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_1003CE1A __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

2_2_1003CE1A

Source: C:\Windows\System32\loaddll32.exe

0_2_10030A37

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: svchost.exe, 0000000F.00000002.770926389.000001D663A3D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000F.00000002.770982746.000001D663B02000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match	File source: G.dll, type: SAMPLE
Source: Yara match	File source: 2.2.regsvr32.exe.4160000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5250000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4680000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.52e0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4ff0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4f10000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2a30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2d80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.4bc0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5a00000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5340000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4fc0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.4e20000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.49f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5440000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.57d0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5250000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5170000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.4eb0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5280000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.32a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.44d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5170000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.53e0000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5a30000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2d80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.32a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.4f70000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5830000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5480000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.4cf0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5080000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.4e20000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5620000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4ec0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5360000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4ec0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.57d0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.4e80000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5390000.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.4e80000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5890000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5360000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.53c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.54f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.4af0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4650000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5310000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.4bc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.4af0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.44a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.49a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.49c0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.50c0000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5310000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2a60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.54f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5830000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.54b0000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.4b40000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5080000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.49c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5860000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4ef0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5890000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4ee0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.44a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.51a0000.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.4f70000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.4fa0000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.53e0000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.52b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5800000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4fc0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4130000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2a30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.52b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5a00000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5410000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.58c0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.4e50000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.53c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5480000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4ee0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4650000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2db0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.10000000.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.771427491.00000000044D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.253283949.0000000004681000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.771965666.0000000004EB1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.271372941.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.275329419.0000000004B41000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.272139717.0000000005341000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.271889554.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.252624792.0000000004161000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.261577474.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.274576456.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.252652791.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.772505137.0000000005391000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.771607352.00000000049F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.272090559.00000000052E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.272206669.00000000054B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.276875884.0000000005861000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.274675979.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.772451917.0000000005360000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.274922446.0000000005621000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.272121589.0000000005310000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.772785811.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.272067370.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.276956910.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.276851297.0000000005830000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.275561648.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.772550066.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.272183835.0000000005480000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.771696556.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.261493646.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.271716926.0000000004F11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.772088368.0000000004FA1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.772195967.00000000050C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.271915479.0000000004FF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.272014124.0000000005281000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.275830029.0000000005801000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.274491459.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.277008171.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.772607036.0000000005411000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.271693542.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.771329130.00000000044A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.771770201.0000000004CF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.274638425.0000000005441000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.271987224.0000000005250000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.772052651.0000000004F70000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.770804161.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.271513878.00000000049A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.274516629.0000000004EF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.771574854.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.252573847.0000000004130000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.275452087.00000000057D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.274906583.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.771910511.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.261522396.0000000002DB1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.276976546.0000000005A31000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.276938225.00000000058C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.771839455.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.772278952.00000000051A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.772140071.0000000005080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.770959380.0000000002A61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.772251780.0000000005170000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.272247152.0000000010001000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.771878250.0000000004E51000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.276919244.0000000005890000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.253256451.0000000004650000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.253348428.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	2 Input Capture	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	45 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 DLL Side-Loading	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	51 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Masquerading	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Regsvr32	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	1 Rundll32	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
G.dll	15%	Virustotal		Browse
G.dll	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
6.2.rundll32.exe.4ff0000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.rundll32.exe.5a30000.13.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.rundll32.exe.52e0000.9.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.rundll32.exe.5280000.7.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.4eb0000.11.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.4e20000.8.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
6.2.rundll32.exe.32a0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
6.2.rundll32.exe.4f10000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.49f0000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.rundll32.exe.4680000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.regsvr32.exe.4160000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.rundll32.exe.5250000.6.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
6.2.rundll32.exe.4fc0000.4.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
6.2.rundll32.exe.5340000.11.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.44d0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.loaddll32.exe.2d80000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.5170000.16.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
4.2.rundll32.exe.5440000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.4bc0000.6.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
4.2.rundll32.exe.57d0000.6.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.4cf0000.7.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.rundll32.exe.5480000.12.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
4.2.rundll32.exe.5830000.8.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
4.2.rundll32.exe.5620000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.rundll32.exe.5890000.10.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
4.2.rundll32.exe.4ec0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.5390000.19.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.5360000.18.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.4e80000.10.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
9.2.rundll32.exe.4af0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
4.2.rundll32.exe.53c0000.2.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
6.2.rundll32.exe.49a0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.49c0000.4.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
6.2.rundll32.exe.5310000.10.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
4.2.rundll32.exe.5860000.9.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.50c0000.15.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.2a60000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.rundll32.exe.54b0000.13.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.rundll32.exe.54f0000.4.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
2.2.regsvr32.exe.4130000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
4.2.rundll32.exe.4ef0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.5080000.14.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
9.2.rundll32.exe.4b40000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.rundll32.exe.52b0000.8.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.4fa0000.13.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.rundll32.exe.4ee0000.2.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.44a0000.2.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.53e0000.20.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.4f70000.12.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.51a0000.17.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.rundll32.exe.5800000.7.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.2a30000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.5410000.21.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.rundll32.exe.5a00000.12.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
4.2.rundll32.exe.58c0000.11.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.4e50000.9.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.loaddll32.exe.2db0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.rundll32.exe.4650000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://disneyplus.com/legal.	0%	URL Reputation	safe
http://help.disneyplus.com.	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 0000000D.00000003.308075068.000002C185450000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 00000023.00000003.561038722.0000020CDDF5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.560595902.0000020CDDF91000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 0000000D.00000003.308475328.000002C185445000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 0000000D.00000002.309007019.000002C18543E000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 0000000D.00000003.308075068.000002C185450000.00000004.00000001.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 0000000D.00000002.309007019.000002C18543E000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/	svchost.exe, 0000000D.00000003.308210317.000002C18544B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.309019486.000002C18544D000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 0000000D.00000002.309044741.000002C18546A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.307872220.000002C185468000.00000004.00000001.00020000.00000000.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 0000000D.00000003.308361693.000002C18542C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.308991389.000002C18542D000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 0000000D.00000002.309007019.000002C18543E000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	svchost.exe, 0000000D.00000003.286009108.000002C185430000.00000004.00000001.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 0000000D.00000003.308372123.000002C185438000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.286009108.000002C185430000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 0000000D.00000003.308075068.000002C185450000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Stops/	svchost.exe, 0000000D.00000003.286009108.000002C185430000.00000004.00000001.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000007.00000002.613054115.000002885780D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 0000000D.00000003.308361693.000002C18542C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.309015058.000002C185447000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.308429108.000002C185446000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.tiktok.com/legal/report/feedback	svchost.exe, 00000023.00000003.562388514.0000020CDDFAC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.562676725.0000020CDDF95000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.562660746.0000020CDDF84000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.562744963.0000020CDE402000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.562510238.0000020CDDFAC000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 0000000D.00000002.309007019.000002C18543E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.308972985.000002C185413000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 0000000D.00000002.309011405.000002C185442000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.308572343.000002C185441000.00000004.00000001.00020000.00000000.sdmp	false		high
https://%s.xboxlive.com	svchost.exe, 0000000B.00000002.771126375.000001F988044000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	low
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000D.00000003.308361693.000002C18542C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.308991389.000002C18542D000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 0000000D.00000003.308075068.000002C185450000.00000004.00000001.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000D.00000003.308372123.000002C185438000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.286009108.000002C185430000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 0000000D.00000003.308075068.000002C185450000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 0000000D.00000003.308075068.000002C185450000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 0000000D.00000003.308210317.000002C18544B000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=	svchost.exe, 0000000D.00000003.286009108.000002C185430000.00000004.00000001.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 0000000D.00000003.308372123.000002C185438000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.286009108.000002C185430000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 0000000D.00000002.309015058.000002C185447000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.308429108.000002C185446000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 00000023.00000003.561038722.0000020CDDF5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.560595902.0000020CDDF91000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000000D.00000003.308210317.000002C18544B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.309019486.000002C18544D000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 0000000D.00000002.309011405.000002C185442000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.308572343.000002C185441000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dynamic.t	svchost.exe, 0000000D.00000003.307980966.000002C185464000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 0000000D.00000003.308075068.000002C185450000.00000004.00000001.00020000.00000000.sdmp	false		high
https://disneyplus.com/legal.	svchost.exe, 00000023.00000003.561038722.0000020CDDF5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.560595902.0000020CDDF91000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 0000000D.00000003.308372123.000002C185438000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.286009108.000002C185430000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.309002264.000002C185438000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 0000000D.00000002.309015058.000002C185447000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.308429108.000002C185446000.00000004.00000001.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=	svchost.exe, 0000000D.00000003.286009108.000002C185430000.00000004.00000001.00020000.00000000.sdmp	false		high
https://activity.windows.com	svchost.exe, 0000000B.00000002.771126375.000001F988044000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 0000000D.00000002.308972985.000002C185413000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 0000000D.00000003.308075068.000002C185450000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000000D.00000003.286009108.000002C185430000.00000004.00000001.00020000.00000000.sdmp	false		high
http://help.disneyplus.com.	svchost.exe, 00000023.00000003.561038722.0000020CDDF5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.560595902.0000020CDDF91000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000000D.00000002.309007019.000002C18543E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.286009108.000002C185430000.00000004.00000001.00020000.00000000.sdmp	false		high
https://%s.dnet.xboxlive.com	svchost.exe, 0000000B.00000002.771126375.000001F988044000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	low
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000000D.00000003.308210317.000002C18544B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.309019486.000002C18544D000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 0000000D.00000003.308210317.000002C18544B000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
195.154.133.20	unknown	France	12876	OnlineSASFR	true
185.157.82.211	unknown	Poland	42927	S-NET-ASPL	true
212.237.17.99	unknown	Italy	31034	ARUBA-ASNIT	true
79.172.212.216	unknown	Hungary	61998	SZERVERPLEXHU	true
110.232.117.186	unknown	Australia	56038	RACKCORP-APRackCorpAU	true
173.214.173.220	unknown	United States	19318	IS-AS-1US	true
212.24.98.99	unknown	Lithuania	62282	RACKRAYUABRakrejusLT	true
138.185.72.26	unknown	Brazil	264343	EmpasoftLtdaMeBR	true
178.63.25.185	unknown	Germany	24940	HETZNER-ASDE	true
160.16.102.168	unknown	Japan	9370	SAKURA-BSAKURAInternetIncJP	true
81.0.236.90	unknown	Czech Republic	15685	CASABLANCA-ASInternetCollocationProviderCZ	true
103.75.201.2	unknown	Thailand	133496	CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH	true
216.158.226.206	unknown	United States	19318	IS-AS-1US	true
45.118.115.99	unknown	Indonesia	131717	IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID	true
51.15.4.22	unknown	France	12876	OnlineSASFR	true
159.89.230.105	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
162.214.50.39	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
200.17.134.35	unknown	Brazil	1916	AssociacaoRedeNacionaldeEnsinoePesquisaBR	true
217.182.143.207	unknown	France	16276	OVHFR	true
107.182.225.142	unknown	United States	32780	HOSTINGSERVICES-INCUS	true
51.38.71.0	unknown	France	16276	OVHFR	true
45.118.135.203	unknown	Japan	63949	LINODE-APLinodeLLCUS	true
50.116.54.215	unknown	United States	63949	LINODE-APLinodeLLCUS	true
131.100.24.231	unknown	Brazil	61635	GOPLEXTELECOMUNICACOESEINTERNETLTDA-MEBR	true
46.55.222.11	unknown	Bulgaria	34841	BALCHIKNETBG	true
41.76.108.46	unknown	South Africa	327979	DIAMATRIXZA	true
173.212.193.249	unknown	Germany	51167	CONTABODE	true
45.176.232.124	unknown	Colombia	267869	CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC	true
178.79.147.66	unknown	United Kingdom	63949	LINODE-APLinodeLLCUS	true
212.237.5.209	unknown	Italy	31034	ARUBA-ASNIT	true
162.243.175.63	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
176.104.106.96	unknown	Serbia	198371	NINETRS	true
207.38.84.195	unknown	United States	30083	AS-30083-GO-DADDY-COM-LLCUS	true
164.68.99.3	unknown	Germany	51167	CONTABODE	true
192.254.71.210	unknown	United States	64235	BIGBRAINUS	true
212.237.56.116	unknown	Italy	31034	ARUBA-ASNIT	true
104.168.155.129	unknown	United States	54290	HOSTWINDSUS	true
45.142.114.231	unknown	Germany	44066	DE-FIRSTCOLOwwwfirst-colonetDE	true
203.114.109.124	unknown	Thailand	131293	TOT-LLI-AS-APTOTPublicCompanyLimitedTH	true
209.59.138.75	unknown	United States	32244	LIQUIDWEBUS	true
159.8.59.82	unknown	United States	36351	SOFTLAYERUS	true
129.232.188.93	unknown	South Africa	37153	xneeloZA	true
58.227.42.236	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
158.69.222.101	unknown	Canada	16276	OVHFR	true
104.251.214.46	unknown	United States	54540	INCERO-HVVCUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	562446
Start date:	28.01.2022
Start time:	22:06:22
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	G (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	38
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.evad.winDLL@33/9@0/46
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 81.8%) Quality average: 63.4% Quality standard deviation: 34.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 23 Number of non-executed functions: 143
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 2.20.156.69, 92.123.101.234, 84.53.177.16, 8.248.135.254, 67.26.83.254, 8.241.126.121, 8.248.113.254, 8.248.145.254, 20.54.7.98, 40.91.112.76
Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, a-0001.a-afde
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
22:07:27	API Interceptor	10x Sleep call for process: svchost.exe modified
22:08:41	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
195.154.133.20	1162545482187818.xls	Get hash	malicious	Browse
	364453688149503140239183.xls	Get hash	malicious	Browse
	CJ68000754184.xls	Get hash	malicious	Browse
	imedpub_2.xls	Get hash	malicious	Browse
	imedpub_6.xls	Get hash	malicious	Browse
	imedpub.com_6.xls	Get hash	malicious	Browse
	imedpub.com_10.xls	Get hash	malicious	Browse
	iMedPub LTD_10.xls	Get hash	malicious	Browse
	iMedPub LTD_12.xls	Get hash	malicious	Browse
	iMedPub LTD_14.xls	Get hash	malicious	Browse
	NZW-010122 BNUV-280122.xlsm	Get hash	malicious	Browse
	iMedPub LTD_15.xls	Get hash	malicious	Browse
	iMedPub LTD_2.xls	Get hash	malicious	Browse
	iMedPub LTD_3.xls	Get hash	malicious	Browse
	iMedPub LTD_7.xls	Get hash	malicious	Browse
	iMedPub LTD_8.xls	Get hash	malicious	Browse
	imedpub.xls	Get hash	malicious	Browse
	InnovincConf_1.xls	Get hash	malicious	Browse
	innovinc.org.xls	Get hash	malicious	Browse
	ANFg7r0v2A.dll	Get hash	malicious	Browse
185.157.82.211	1162545482187818.xls	Get hash	malicious	Browse
	364453688149503140239183.xls	Get hash	malicious	Browse
	CJ68000754184.xls	Get hash	malicious	Browse
	imedpub_2.xls	Get hash	malicious	Browse
	imedpub_6.xls	Get hash	malicious	Browse
	imedpub.com_6.xls	Get hash	malicious	Browse
	imedpub.com_10.xls	Get hash	malicious	Browse
	iMedPub LTD_10.xls	Get hash	malicious	Browse
	iMedPub LTD_12.xls	Get hash	malicious	Browse
	iMedPub LTD_14.xls	Get hash	malicious	Browse
	NZW-010122 BNUV-280122.xlsm	Get hash	malicious	Browse
	iMedPub LTD_15.xls	Get hash	malicious	Browse
	iMedPub LTD_2.xls	Get hash	malicious	Browse
	iMedPub LTD_3.xls	Get hash	malicious	Browse
	iMedPub LTD_7.xls	Get hash	malicious	Browse
	iMedPub LTD_8.xls	Get hash	malicious	Browse
	imedpub.xls	Get hash	malicious	Browse
	InnovincConf_1.xls	Get hash	malicious	Browse
	innovinc.org.xls	Get hash	malicious	Browse
	ANFg7r0v2A.dll	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
S-NET-ASPL	1162545482187818.xls	Get hash	malicious	Browse	185.157.82.211
	364453688149503140239183.xls	Get hash	malicious	Browse	185.157.82.211
	CJ68000754184.xls	Get hash	malicious	Browse	185.157.82.211
	imedpub_2.xls	Get hash	malicious	Browse	185.157.82.211
	imedpub_6.xls	Get hash	malicious	Browse	185.157.82.211
	imedpub.com_6.xls	Get hash	malicious	Browse	185.157.82.211
	imedpub.com_10.xls	Get hash	malicious	Browse	185.157.82.211
	iMedPub LTD_10.xls	Get hash	malicious	Browse	185.157.82.211
	iMedPub LTD_12.xls	Get hash	malicious	Browse	185.157.82.211
	iMedPub LTD_14.xls	Get hash	malicious	Browse	185.157.82.211
	NZW-010122 BNUV-280122.xlsm	Get hash	malicious	Browse	185.157.82.211
	iMedPub LTD_15.xls	Get hash	malicious	Browse	185.157.82.211
	iMedPub LTD_2.xls	Get hash	malicious	Browse	185.157.82.211
	iMedPub LTD_3.xls	Get hash	malicious	Browse	185.157.82.211
	iMedPub LTD_7.xls	Get hash	malicious	Browse	185.157.82.211
	iMedPub LTD_8.xls	Get hash	malicious	Browse	185.157.82.211
	imedpub.xls	Get hash	malicious	Browse	185.157.82.211
	InnovincConf_1.xls	Get hash	malicious	Browse	185.157.82.211
	innovinc.org.xls	Get hash	malicious	Browse	185.157.82.211
	ANFg7r0v2A.dll	Get hash	malicious	Browse	185.157.82.211
OnlineSASFR	GULPPYUMBy.dll	Get hash	malicious	Browse	195.154.146.35
	1162545482187818.xls	Get hash	malicious	Browse	51.15.4.22
	AcqQhfewOu.dll	Get hash	malicious	Browse	195.154.146.35
	364453688149503140239183.xls	Get hash	malicious	Browse	51.15.4.22
	80_513972285.xls	Get hash	malicious	Browse	195.154.146.35
	Attachment-2801.xls	Get hash	malicious	Browse	195.154.146.35
	CJ68000754184.xls	Get hash	malicious	Browse	51.15.4.22
	DOCUMENT_2801.xls	Get hash	malicious	Browse	195.154.146.35
	DETAILS-145.xls	Get hash	malicious	Browse	195.154.146.35
	imedpub_2.xls	Get hash	malicious	Browse	51.15.4.22
	imedpub_6.xls	Get hash	malicious	Browse	51.15.4.22
	imedpub.com_6.xls	Get hash	malicious	Browse	51.15.4.22
	imedpub.com_10.xls	Get hash	malicious	Browse	51.15.4.22
	iMedPub LTD_10.xls	Get hash	malicious	Browse	51.15.4.22
	iMedPub LTD_12.xls	Get hash	malicious	Browse	51.15.4.22
	iMedPub LTD_14.xls	Get hash	malicious	Browse	51.15.4.22
	NZW-010122 BNUV-280122.xlsm	Get hash	malicious	Browse	51.15.4.22
	iMedPub LTD_15.xls	Get hash	malicious	Browse	51.15.4.22
	iMedPub LTD_2.xls	Get hash	malicious	Browse	51.15.4.22
	iMedPub LTD_3.xls	Get hash	malicious	Browse	51.15.4.22

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.3593198815979092
Encrypted:	false
SSDEEP:	12:SnaaD0JcaaD0JwQQU2naaD0JcaaD0JwQQU:4tgJctgJw/tgJctgJw
MD5:	BF1DC7D5D8DAD7478F426DF8B3F8BAA6
SHA1:	C6B0BDE788F553F865D65F773D8F6A3546887E42
SHA-256:	BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
SHA-512:	00F2412AA04E09EA19A8315D80BE66D2727C713FC0F5AE6A9334BABA539817F568A98CA3A45B2673282BDD325B8B0E2840A393A4DCFADCB16473F5EAF2AF3180
Malicious:	false
Preview:	.......................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Process:	C:\Windows\System32\svchost.exe
File Type:	MPEG-4 LOAS
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.2494191616701416
Encrypted:	false
SSDEEP:	1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU43:BJiRdwfu2SRU43
MD5:	E857A2FEF29FCA8E264531352652DBBC
SHA1:	B564D344D0A8A7C9047F3F40580B57BCF419504F
SHA-256:	19DB0E4C90D5537312D35784F53D43887DC6E88BCD7477FEAA19F77E00EC4010
SHA-512:	2A94DF2F13BE243F3EB8AC38B13B3B18B23E05A708361E111328762A63D1B67B00C2E057131D6865F72813308F1199E5020B756D6553BFA4C63F4E852EF3ECB7
Malicious:	false
Preview:	V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x52f2e4c5, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	786432
Entropy (8bit):	0.2506927879454543
Encrypted:	false
SSDEEP:	384:0Hl+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:0HWSB2nSB2RSjlK/+mLesOj1J2
MD5:	A83BEC41E55D05CE038BDC7A1018DCAD
SHA1:	41AE1956D9807AF9D55AE32E53835D32B669FDBF
SHA-256:	40AEE4CD8D6D844DABCE7B418195283FD7C961DD0726497225C9C157EC71BA5B
SHA-512:	6D042B6A2A44E7A56B32B11EB2FC7DFF238F8C4491659B054588D968B2BB5F65600F2767DE25C303B5DE3A722703E8EEF5B6DFBEC619B8D756230AE9C1FE0791
Malicious:	false
Preview:	R...... ................e.f.3...w........................).....'....z.......z..h.(.....'....z....)..............3...w...........................................................................................................B...........@...................................................................................................... .....................................................................................................................................................................................................................................................'....z.....................'....z..........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07555734692185856
Encrypted:	false
SSDEEP:	3:IAtJ7v+mEtl6EW5GNzNOKtloll3Vkttlmlnl:IAtJr+mZE0GFE3
MD5:	301EB1441EF64B67B28B4FEC7DC4CF2F
SHA1:	65B4C002D9302CC22A5AC4B92205193E412A2C0C
SHA-256:	86AC0659194C5E57ACBEF2CB67FEEC036FC5AC44A6CE70D4672F8BB8D5DAC4FE
SHA-512:	5E77FCA47BDCC57B6ABE632B8E8840BA4BB8F4F8F9ACEE982DDA8BC83C639E395D4644C3402642355D8FACE3464522D41DCA15F58A185121A752F14E55D47E16
Malicious:	false
Preview:	.........................................3...w.......z..'....z..........'....z..'....z..j..'....z.....................'....z..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	Microsoft Cabinet archive data, 61414 bytes, 1 file
Category:	dropped
Size (bytes):	61414
Entropy (8bit):	7.995245868798237
Encrypted:	true
SSDEEP:	1536:EysgU6qmzixT64jYMZ8HbVPGfVDwm/xLZ9rP:wF6qmeo4eH1m9wmLvrP
MD5:	ACAEDA60C79C6BCAC925EEB3653F45E0
SHA1:	2AAAE490BCDACCC6172240FF1697753B37AC5578
SHA-256:	6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
SHA-512:	FEAA6E7ED7DDA1583739B3E531AB5C562A222EE6ECD042690AE7DCFF966717C6E968469A7797265A11F6E899479AE0F3031E8CF5BEBE1492D5205E9C59690900
Malicious:	false
Preview:	MSCF............,...................I.......;w........RSNj .authroot.stl..>.(.5..CK..8T....c_.d...A.K...+.d.H..i.RJJ.IQIR..$t)Kd.-[..T\{..ne......<.w......A..B........c...wi......D....c.0D,L........fy....Rg...=........i,3.3..Z....~^ve<...TF....f.zy.,...m.@.0.0...m.3..I(..+..v#...(.2....e...L..y..V.......~U...."<ke.....l.X:Dt..R<7.5\A7L0=..T.V...IDr..8<....r&...I-.^..b.b.".Af....E.._..r.>.`;,.Hob..S.....7'..\.R$.".g..+..64..@nP.....k3...B.`.G..@D.....L.....`^...#OpW.....!....`.....rf:.}.R.@....gR.#7....l..H.#...d.Qh..3..fCX....==#..M.l..~&....[.J9.\..Ww.....Tx.%....]..a4E...q.+...#.a..x..O..V.t..Y1!.T..`U...-...< _@...\|(.....0..3.`.LU...E0.Gu.4KN....5...?.....I.p..'..........N<.d.O..dH@c1t...[w/...T....cYK.X>.0..Z.....O>..9.3.#9X.%.b...5.YK.E.V.....`./.3.._..nN]..=..M.o.F.._..z....._...gY..!Z..?l....vp.l.:.d.Z..W.....~...N.._.k...&.....$......i.F.d.....D!e.....Y..,.E..m.;.1... $.F..O.F.o_}.uG....,.%.>,.Zx.......o....c../.;....g&.....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.124456801251152
Encrypted:	false
SSDEEP:	6:kKyVpk8SN+SkQlPlEGYRMY9z+4KlDA3RUeYlUmlUR/t:I9kPlE99SNxAhUeYlUSA/t
MD5:	70B33AF3E5D8CD74F67DB50884A8A843
SHA1:	A315017EE23DAFF1E11651BD844E61D026C5592A
SHA-256:	A3E355C0DE56B896F4348EA363F6A189014553E76E0D8EA9570FCBC0745F0F7C
SHA-512:	4AEC4BE0871CEEEF8CF82282743E5768239946E17FF67813AD2A8DE47A0FCF31EEB9A365F9B81C5F5FAC6232B8FD385F78B407B141CEFEF1A8CC973423BF9DFC
Malicious:	false
Preview:	p...... ...............(....................................................... ........q.\].......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.7.1.e.1.5.c.5.d.c.4.d.7.1.:.0."...

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	7250
Entropy (8bit):	3.1656561873025773
Encrypted:	false
SSDEEP:	96:cEj+AbCEH+AbuEAc+AbhGEA+AbNEe+Ab/Ee+AbPE6w9+Ab1wTEU+AbN:cY+38+DJc+iGr+MZ+65+6tg+ECf+k
MD5:	FC51C55256A49DF627F2FAE9FB9ECFA4
SHA1:	E71C9548E61C94E09819590A75B83860B9A31550
SHA-256:	CC1F122A9A20EE7774BB639A47401B7DF501F129DE46432CFD4717AFDA8D8AF3
SHA-512:	8F4D57B2C54BAE32702036208DFF7FA607F621E9252D9EC4C8BE14CBBAC01B20F6238C69D0836E38A0E13DE8A34EB4558D967732AFD883D7BF3C263A0BF76DE0
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20220129_060738_769.etl

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.7647535863641495
Encrypted:	false
SSDEEP:	96:kCXdu2o+0wK51u912YhmC6vI2lbSkfP4olT2rYFzFUMCV6JRefiY5EUMCjY5VUMM:fvlkA92cCjCOxCSCcCUCLCo
MD5:	DF75CDBAB997D6A53699F1AB7BFF9803
SHA1:	D32B7AD9E2EFBCF8B0255D5173DE6BFBAA0AE376
SHA-256:	7841B26BD8062698D4347543D28C5398663CE316E92198968B396D87DC45EBFC
SHA-512:	9F1BB1422DE62B83A225E023EF7BC03E75D540C1317E6D4B105089025FD1D8276AE118B9B09A37EA6D3F3C0235389DC4CF7151D6F5837E0444A4862417ACD1AA
Malicious:	false
Preview:	.... ... ....................................... ...!...........................T...D...2........................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................./_8..... ....................8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.2.0.1.2.9._.0.6.0.7.3.8._.7.6.9...e.t.l.........P.P.T...D...2.......................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.980525357469701
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	G.dll
File size:	548864
MD5:	630b6dad3884c5f5d7ed81c5bb29cdbb
SHA1:	a613c00841a31bc27a0c9bdf4f210d6c6aceaac6
SHA256:	d393bc3918eb1f83e3e3b481ada09a63931b366137e5a7c5542f32ac4ddad4bb
SHA512:	bdc13049601a329d46fa28ad304b2cf2f46cea27dee58105dd58933340c338a975c71202094ad5b7107c31216698070956461ca2d49171859b583807dd94773e
SSDEEP:	12288:B2AavzUBPSczbeeTLjvZyMwWd3DYr6i64/:OUBPSczbeeTnvNZDWA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......hs.a,..2,..2,..2...2&..2...27..2,..2...2...26..2...2...2...2...2...2-..2...2-..2...2-..2Rich,..2................PE..L...>..a...

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:	0x10030d06
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:
Time Stamp:	0x61F3FA3E [Fri Jan 28 14:14:22 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f4d2f65566a93075f8824e97bf321580

Entrypoint Preview

Instruction
cmp dword ptr [esp+08h], 01h
jne 00007F4AF0A91687h
call 00007F4AF0A999E0h
push dword ptr [esp+04h]
mov ecx, dword ptr [esp+10h]
mov edx, dword ptr [esp+0Ch]
call 00007F4AF0A91572h
pop ecx
retn 000Ch
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [100545CCh]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [100545CCh]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [100545CCh]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[RES] VS2005 build 50727
[ C ] VS2005 build 50727
[EXP] VS2005 build 50727
[C++] VS2005 build 50727
[ASM] VS2005 build 50727
[LNK] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x52d40	0x52	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x51034	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5a000	0x25650	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x80000	0x4e30	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4bd90	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x46000	0x594	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x50fac	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x44539	0x45000	False	0.469899937726	data	6.61746201386	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x46000	0xcd92	0xd000	False	0.33779672476	data	5.22505682142	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x53000	0x6580	0x3000	False	0.2626953125	PGP symmetric key encrypted data -	4.05344995258	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x5a000	0x25650	0x26000	False	0.91111353824	data	7.81782767468	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x80000	0x9362	0xa000	False	0.346728515625	data	4.18207580283	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
DASHBOARD	0x5ab04	0x21600	data	Chinese	Taiwan
RT_CURSOR	0x7c104	0x134	data	Chinese	Taiwan
RT_CURSOR	0x7c238	0xb4	data	Chinese	Taiwan
RT_CURSOR	0x7c2ec	0x134	AmigaOS bitmap font	Chinese	Taiwan
RT_CURSOR	0x7c420	0x134	data	Chinese	Taiwan
RT_CURSOR	0x7c554	0x134	data	Chinese	Taiwan
RT_CURSOR	0x7c688	0x134	data	Chinese	Taiwan
RT_CURSOR	0x7c7bc	0x134	data	Chinese	Taiwan
RT_CURSOR	0x7c8f0	0x134	data	Chinese	Taiwan
RT_CURSOR	0x7ca24	0x134	data	Chinese	Taiwan
RT_CURSOR	0x7cb58	0x134	data	Chinese	Taiwan
RT_CURSOR	0x7cc8c	0x134	data	Chinese	Taiwan
RT_CURSOR	0x7cdc0	0x134	data	Chinese	Taiwan
RT_CURSOR	0x7cef4	0x134	AmigaOS bitmap font	Chinese	Taiwan
RT_CURSOR	0x7d028	0x134	data	Chinese	Taiwan
RT_CURSOR	0x7d15c	0x134	data	Chinese	Taiwan
RT_CURSOR	0x7d290	0x134	data	Chinese	Taiwan
RT_BITMAP	0x7d3c4	0xb8	data	Chinese	Taiwan
RT_BITMAP	0x7d47c	0x144	data	Chinese	Taiwan
RT_DIALOG	0x7d5c0	0x148	data	Chinese	Taiwan
RT_DIALOG	0x7d708	0x26a	data	Chinese	Taiwan
RT_DIALOG	0x7d974	0xe8	data	Chinese	Taiwan
RT_DIALOG	0x7da5c	0x34	data	Chinese	Taiwan
RT_STRING	0x7da90	0x58	data	Chinese	Taiwan
RT_STRING	0x7dae8	0x82	data	Chinese	Taiwan
RT_STRING	0x7db6c	0x2a	data	Chinese	Taiwan
RT_STRING	0x7db98	0x192	data	Chinese	Taiwan
RT_STRING	0x7dd2c	0x4e2	data	Chinese	Taiwan
RT_STRING	0x7e210	0x31a	data	Chinese	Taiwan
RT_STRING	0x7e52c	0x2dc	data	Chinese	Taiwan
RT_STRING	0x7e808	0x8a	data	Chinese	Taiwan
RT_STRING	0x7e894	0xac	data	Chinese	Taiwan
RT_STRING	0x7e940	0xde	data	Chinese	Taiwan
RT_STRING	0x7ea20	0x4c4	data	Chinese	Taiwan
RT_STRING	0x7eee4	0x264	data	Chinese	Taiwan
RT_STRING	0x7f148	0x2c	data	Chinese	Taiwan
RT_STRING	0x7f174	0x42	data	Chinese	Taiwan
RT_GROUP_CURSOR	0x7f1b8	0x22	Lotus unknown worksheet or configuration, revision 0x2	Chinese	Taiwan
RT_GROUP_CURSOR	0x7f1dc	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	Taiwan
RT_GROUP_CURSOR	0x7f1f0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	Taiwan
RT_GROUP_CURSOR	0x7f204	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	Taiwan
RT_GROUP_CURSOR	0x7f218	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	Taiwan
RT_GROUP_CURSOR	0x7f22c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	Taiwan
RT_GROUP_CURSOR	0x7f240	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	Taiwan
RT_GROUP_CURSOR	0x7f254	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	Taiwan
RT_GROUP_CURSOR	0x7f268	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	Taiwan
RT_GROUP_CURSOR	0x7f27c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	Taiwan
RT_GROUP_CURSOR	0x7f290	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	Taiwan
RT_GROUP_CURSOR	0x7f2a4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	Taiwan
RT_GROUP_CURSOR	0x7f2b8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	Taiwan
RT_GROUP_CURSOR	0x7f2cc	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	Taiwan
RT_GROUP_CURSOR	0x7f2e0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	Taiwan
RT_VERSION	0x7f2f4	0x304	data	Chinese	Taiwan
RT_MANIFEST	0x7f5f8	0x56	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	FileTimeToSystemTime, FileTimeToLocalFileTime, GetFileAttributesA, GetFileTime, GetTickCount, RtlUnwind, GetSystemInfo, HeapReAlloc, GetCommandLineA, ExitProcess, ExitThread, CreateThread, RaiseException, HeapSize, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, Sleep, HeapDestroy, HeapCreate, GetStdHandle, GetOEMCP, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetACP, GetStringTypeA, GetStringTypeW, GetTimeZoneInformation, GetConsoleCP, GetConsoleMode, LCMapStringA, LCMapStringW, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetEnvironmentVariableA, GetCPInfo, CreateFileA, GetFullPathNameA, GetVolumeInformationA, FindFirstFileA, FindClose, GetCurrentProcess, DuplicateHandle, GetThreadLocale, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, InterlockedIncrement, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, GlobalFlags, FormatMessageA, LocalFree, InterlockedDecrement, MulDiv, GlobalGetAtomNameA, GlobalFindAtomA, lstrcmpW, GetVersionExA, WritePrivateProfileStringA, GlobalUnlock, GlobalFree, FreeResource, GetCurrentProcessId, GlobalAddAtomA, CreateEventA, SuspendThread, SetEvent, WaitForSingleObject, ResumeThread, SetThreadPriority, CloseHandle, GetCurrentThread, GetCurrentThreadId, ConvertDefaultLocale, GetModuleFileNameA, EnumResourceLanguagesA, GetLocaleInfoA, GlobalLock, lstrcmpA, GlobalAlloc, GlobalDeleteAtom, GetModuleHandleA, GetLastError, lstrlenA, CompareStringA, CompareStringW, MultiByteToWideChar, InterlockedExchange, GetVersion, WideCharToMultiByte, LockResource, FindResourceA, FindResourceW, LoadResource, SizeofResource, HeapFree, GetNativeSystemInfo, GetProcessHeap, HeapAlloc, FreeLibrary, GetProcAddress, LoadLibraryA, IsBadReadPtr, VirtualProtect, SetLastError, VirtualAlloc, VirtualFree, SetHandleCount, VirtualQuery
USER32.dll	GetNextDlgGroupItem, MessageBeep, UnregisterClassA, RegisterClipboardFormatA, PostThreadMessageA, LoadCursorA, SetCapture, DestroyMenu, EndPaint, BeginPaint, GetWindowDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, ShowWindow, MoveWindow, SetWindowTextA, IsDialogMessageA, RegisterWindowMessageA, SendDlgItemMessageA, WinHelpA, GetCapture, GetClassLongA, GetClassNameA, SetPropA, GetPropA, RemovePropA, SetFocus, GetWindowTextLengthA, GetWindowTextA, GetForegroundWindow, InvalidateRgn, GetTopWindow, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, MapWindowPoints, SetForegroundWindow, UpdateWindow, GetMenu, GetSubMenu, GetMenuItemID, GetMenuItemCount, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, GetSysColor, AdjustWindowRectEx, EqualRect, PtInRect, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, OffsetRect, IntersectRect, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, ReleaseDC, GetDC, CopyRect, SetWindowLongA, GetWindowLongA, GetSystemMetrics, DrawIcon, AppendMenuA, SendMessageA, GetWindow, SetWindowContextHelpId, MapDialogRect, SetWindowPos, GetDesktopWindow, SetActiveWindow, CreateDialogIndirectParamA, DestroyWindow, IsWindow, GetDlgItem, GetNextDlgTabItem, EndDialog, GetWindowThreadProcessId, InvalidateRect, SetRect, IsRectEmpty, CopyAcceleratorTableA, CharNextA, GetLastActivePopup, IsWindowEnabled, GetSysColorBrush, ReleaseCapture, GetSystemMenu, IsIconic, GetClientRect, EnableWindow, LoadIconA, CharUpperA, PostQuitMessage, PostMessageA, CheckMenuItem, EnableMenuItem, GetMenuState, ModifyMenuA, GetParent, GetFocus, LoadBitmapA, GetMenuCheckMarkDimensions, SetMenuItemBitmaps, ValidateRect, GetCursorPos, PeekMessageA, GetKeyState, IsWindowVisible, GetActiveWindow, DispatchMessageA, TranslateMessage, GetMessageA, CallNextHookEx, SetWindowsHookExA, SetCursor, MessageBoxA, IsChild
GDI32.dll	ExtSelectClipRgn, DeleteDC, GetStockObject, GetDeviceCaps, GetBkColor, GetTextColor, GetRgnBox, GetMapMode, ScaleWindowExtEx, SetWindowExtEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, Escape, ExtTextOutA, CreateBitmap, RectVisible, PtVisible, GetWindowExtEx, GetViewportExtEx, DeleteObject, SetMapMode, RestoreDC, SaveDC, GetObjectA, SetBkColor, SetTextColor, GetClipBox, CreateRectRgnIndirect, TextOutA
comdlg32.dll	GetFileTitleA
WINSPOOL.DRV	DocumentPropertiesA, OpenPrinterA, ClosePrinter
ADVAPI32.dll	RegQueryValueA, RegSetValueExA, RegCreateKeyExA, RegCloseKey, RegOpenKeyA, RegEnumKeyA, RegDeleteKeyA, RegOpenKeyExA, RegQueryValueExA
COMCTL32.dll	InitCommonControlsEx
SHLWAPI.dll	PathFindFileNameA, PathStripToRootA, PathFindExtensionA, PathIsUNCA
WS2_32.dll	recv, connect, WSACleanup, socket, WSAStartup, htons, inet_addr, closesocket, send
oledlg.dll
ole32.dll	StgOpenStorageOnILockBytes, CoGetClassObject, CoTaskMemAlloc, StgCreateDocfileOnILockBytes, CoTaskMemFree, CLSIDFromString, CLSIDFromProgID, CreateILockBytesOnHGlobal, CoRegisterMessageFilter, OleFlushClipboard, OleIsCurrentClipboard, CoRevokeClassObject, OleInitialize, CoFreeUnusedLibraries, OleUninitialize
OLEAUT32.dll	SysAllocStringLen, VariantClear, VariantChangeType, VariantInit, SysStringLen, SysAllocStringByteLen, OleCreateFontIndirect, VariantTimeToSystemTime, SystemTimeToVariantTime, SafeArrayDestroy, SysAllocString, VariantCopy, SysFreeString

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x10012860

Version Infos

Description	Data
LegalCopyright	Innoversal. All rights reserved.
InternalName	FinalChatSocketCli.exe
FileVersion	1.0.2.4
CompanyName	Innoversal
ProductName	Char room only
ProductVersion	1.0.2.4
FileDescription	Chat room
OriginalFilename	FinalChatSocketCli.exe
Translation	0x0404 0x03b6

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 28, 2022 22:07:53.350701094 CET	49768	80	192.168.2.5	160.16.102.168
Jan 28, 2022 22:07:53.655407906 CET	80	49768	160.16.102.168	192.168.2.5
Jan 28, 2022 22:07:53.655544996 CET	49768	80	192.168.2.5	160.16.102.168
Jan 28, 2022 22:07:54.820058107 CET	49768	80	192.168.2.5	160.16.102.168
Jan 28, 2022 22:07:55.124425888 CET	80	49768	160.16.102.168	192.168.2.5
Jan 28, 2022 22:07:55.139054060 CET	80	49768	160.16.102.168	192.168.2.5
Jan 28, 2022 22:07:55.139079094 CET	80	49768	160.16.102.168	192.168.2.5
Jan 28, 2022 22:07:55.139134884 CET	49768	80	192.168.2.5	160.16.102.168
Jan 28, 2022 22:07:55.139163017 CET	49768	80	192.168.2.5	160.16.102.168
Jan 28, 2022 22:08:00.040966034 CET	49768	80	192.168.2.5	160.16.102.168
Jan 28, 2022 22:08:00.345963001 CET	80	49768	160.16.102.168	192.168.2.5
Jan 28, 2022 22:08:00.346338034 CET	49768	80	192.168.2.5	160.16.102.168
Jan 28, 2022 22:08:00.351422071 CET	49768	80	192.168.2.5	160.16.102.168
Jan 28, 2022 22:08:00.694885015 CET	80	49768	160.16.102.168	192.168.2.5
Jan 28, 2022 22:08:01.515592098 CET	80	49768	160.16.102.168	192.168.2.5
Jan 28, 2022 22:08:01.517086029 CET	49768	80	192.168.2.5	160.16.102.168
Jan 28, 2022 22:08:04.515413046 CET	80	49768	160.16.102.168	192.168.2.5
Jan 28, 2022 22:08:04.515451908 CET	80	49768	160.16.102.168	192.168.2.5
Jan 28, 2022 22:08:04.516236067 CET	49768	80	192.168.2.5	160.16.102.168
Jan 28, 2022 22:09:43.295095921 CET	49768	80	192.168.2.5	160.16.102.168
Jan 28, 2022 22:09:43.295161963 CET	49768	80	192.168.2.5	160.16.102.168

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49768	160.16.102.168	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 28, 2022 22:07:54.820058107 CET	1460	OUT	Data Raw: 16 03 03 00 8a 01 00 00 86 03 03 61 f4 d9 ba 1a 18 24 e2 7f 56 04 14 e4 1a 5e 1b 58 9c bf 99 52 6d b8 e3 f3 4e 4e c8 9a aa 45 35 00 00 26 c0 2c c0 2b c0 30 c0 2f c0 24 c0 23 c0 28 c0 27 c0 0a c0 09 c0 14 c0 13 00 9d 00 9c 00 3d 00 3c 00 35 00 2f Data Ascii: a$V^XRmNNE5&,+0/$#('=<5/7#
Jan 28, 2022 22:07:55.139054060 CET	1462	IN	Data Raw: 16 03 03 00 41 02 00 00 3d 03 03 64 a5 00 8e d9 32 e1 96 07 00 15 84 a6 7a b2 3a 31 86 09 72 cb 10 19 f2 e4 b1 53 ff dd 9f 0f 8a 00 c0 30 00 00 15 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 23 00 00 00 17 00 00 16 03 03 03 cf 0b 00 03 cb 00 03 c8 Data Ascii: A=d2z:1rS0#00\b0H0w10UGB10ULondon10ULondon10UGlobal Security10UIT Department10Uexample.c
Jan 28, 2022 22:07:55.139079094 CET	1462	IN	Data Raw: ae ea 13 e9 8d 42 b6 33 00 1d 38 f5 d4 da 42 d9 9a 16 03 03 00 04 0e 00 00 00 Data Ascii: B38B
Jan 28, 2022 22:08:00.040966034 CET	1549	OUT	Data Raw: 16 03 03 00 25 10 00 00 21 20 27 fa 92 52 51 48 f7 4a 68 af bf c9 7f ef ae 3a 01 f8 e5 36 7a 2d 45 2d 9e 4c 8b 42 b2 83 6c 62 14 03 03 00 01 01 16 03 03 00 28 00 00 00 00 00 00 00 00 6b 5d c7 c5 db 3b 28 bc bf 43 43 5a 77 cb 11 9b 79 61 db e1 ed Data Ascii: %! 'RQHJh:6z-E-LBlb(k];(CCZwyaOes.U
Jan 28, 2022 22:08:00.345963001 CET	1550	IN	Data Raw: 16 03 03 00 ba 04 00 00 b6 00 00 01 2c 00 b0 33 70 0a af c5 a3 25 d7 ea bb d3 9d ed ff 05 9b 49 49 f7 65 b7 07 4e 5c e9 59 03 73 46 73 5a d6 c4 b9 e8 7c 8c ca 0b 6d 47 ab 3f 58 3a 78 0f 5a fb 49 99 91 6d ba 2a 4f af 59 31 a8 d2 db 32 a6 4d 15 ff Data Ascii: ,3p%IIeN\YsFsZ\|mG?X:xZIm*OY12M,2}QM)T\PmBa`gw,ad `B>9((uFylsM]QuTo 0o4" i(t$5Zlg/mnV}{F @o?_!
Jan 28, 2022 22:08:00.351422071 CET	1550	OUT	Data Raw: 17 03 03 02 28 00 00 00 00 00 00 00 01 1c 02 2c 60 a9 ec ac 62 2f 43 94 e4 8b 94 5e fe 9e 07 2a 65 5a fc 90 b2 e7 cb 05 75 d6 17 99 54 a0 41 42 26 d7 fe 8e a0 3a 5c a6 d3 5e 77 fe 45 63 38 04 0a af ee 6e 45 ea eb 6a 41 02 52 99 88 a9 eb a8 12 ac Data Ascii: (,`b/C^eZuTAB&:\^wEc8nEjAR,@R`%#2S&B)Tdc,yN7%^9'Bcf2H>DK:PfR#?9L*x<tUe7H-@NV\|aT(].>B[S]3z](
Jan 28, 2022 22:08:01.515592098 CET	1552	IN	Data Raw: 17 03 03 04 f4 74 96 24 de fa 35 19 1f 16 e0 d0 50 7a 5c 2d 56 0b 9d 36 e8 a7 49 dc 89 35 e9 c4 87 17 fd 9d 62 ad 96 35 60 e9 dd c1 bb 04 74 a7 ab 67 f0 5d 61 92 5e db 9c 00 39 8f e9 84 f2 6b 79 29 3b a0 be f8 00 94 59 f8 1e 98 8d f8 ca d8 79 4b Data Ascii: t$5Pz\-V6I5b5`tg]a^9ky);YyK.W8C Mjk[\|<+@I3b`ZLTDpr`5HAPg[xiJ2gG+2;#w?/sz9-2{=6)Pw,z]EVn#RIw0q<
Jan 28, 2022 22:08:04.515413046 CET	1552	IN	Data Raw: 15 03 03 00 1a 74 96 24 de fa 35 19 20 9c 79 83 5e 64 06 4a db f4 3e 1f 06 b1 bd b3 5c 06 ae Data Ascii: t$5 y^dJ>\

Target ID:	0
Start time:	22:07:20
Start date:	28/01/2022
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\G.dll"
Imagebase:	0xa20000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.261577474.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.261493646.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.261522396.0000000002DB1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Target ID:	1
Start time:	22:07:20
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\G.dll",#1
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	2
Start time:	22:07:21
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\G.dll
Imagebase:	0x850000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.252624792.0000000004161000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.252652791.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.252573847.0000000004130000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Target ID:	3
Start time:	22:07:21
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\G.dll",#1
Imagebase:	0x1a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.253283949.0000000004681000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.253256451.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.253348428.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Target ID:	4
Start time:	22:07:21
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\G.dll,DllRegisterServer
Imagebase:	0x1a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.274576456.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.276875884.0000000005861000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.274675979.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.274922446.0000000005621000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.276956910.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.276851297.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.275830029.0000000005801000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.274491459.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.277008171.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.274638425.0000000005441000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.274516629.0000000004EF1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.275452087.00000000057D0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.276976546.0000000005A31000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.276938225.00000000058C1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.276919244.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Target ID:	5
Start time:	22:07:22
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\G.dll",DllRegisterServer
Imagebase:	0x1a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	6
Start time:	22:07:22
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\G.dll",DllRegisterServer
Imagebase:	0x1a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.271372941.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.272139717.0000000005341000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.271889554.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.272090559.00000000052E1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.272206669.00000000054B1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.272121589.0000000005310000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.272067370.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.272183835.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.271716926.0000000004F11000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.271915479.0000000004FF1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.272014124.0000000005281000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.271693542.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.271987224.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.271513878.00000000049A1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.272247152.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security
Reputation:	high

Target ID:	7
Start time:	22:07:26
Start date:	28/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	8
Start time:	22:07:26
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\G.dll",DllRegisterServer
Imagebase:	0x7ff797770000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	9
Start time:	22:07:30
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hqelimm\rmkavwi.ypm",YOtq
Imagebase:	0x1a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.275329419.0000000004B41000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.275561648.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.274906583.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security

Target ID:	10
Start time:	22:07:33
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Hqelimm\rmkavwi.ypm",DllRegisterServer
Imagebase:	0x1a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.771427491.00000000044D1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.771965666.0000000004EB1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.772505137.0000000005391000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.771607352.00000000049F1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.772451917.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.772785811.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.772550066.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.771696556.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.772088368.0000000004FA1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.772195967.00000000050C1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.772607036.0000000005411000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.771329130.00000000044A0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.771770201.0000000004CF1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.772052651.0000000004F70000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.770804161.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.771574854.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.771910511.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.771839455.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.772278952.00000000051A1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.772140071.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.770959380.0000000002A61000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.772251780.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.771878250.0000000004E51000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security

Target ID:	11
Start time:	22:07:36
Start date:	28/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Target ID:	12
Start time:	22:07:38
Start date:	28/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Target ID:	13
Start time:	22:07:39
Start date:	28/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Target ID:	14
Start time:	22:07:39
Start date:	28/01/2022
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff745120000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	15
Start time:	22:07:40
Start date:	28/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Target ID:	21
Start time:	22:07:57
Start date:	28/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	23
Start time:	22:08:09
Start date:	28/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	26
Start time:	22:08:27
Start date:	28/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	28
Start time:	22:08:41
Start date:	28/01/2022
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff679ff0000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Target ID:	29
Start time:	22:08:41
Start date:	28/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Target ID:	35
Start time:	22:09:45
Start date:	28/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	37
Start time:	22:10:05
Start date:	28/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language